Description
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parse_ini_string() function supports ${} syntax for environment variable interpolation, attackers with Editor access could inject patterns such as ${APP_KEY} or ${DB_PASSWORD} into CMS page settings fields, causing sensitive environment variables to be resolved, stored in the template, and returned to the attacker when the page was reopened. This could enable exfiltration of credentials and secrets (database passwords, AWS keys, application keys), potentially leading to further attacks such as database access or cookie forgery. The vulnerability is only relevant when cms.safe_mode is enabled, as direct PHP injection is already possible otherwise. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to immediately upgrade, they can workaround this issue by restricting Editor tool access to fully trusted administrators only, and ensuring database and cloud service credentials are not accessible from the web server's network.
Published: 2026-04-14
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure (Environment Variable Exfiltration)
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an Editor to inject PHP INI variable patterns such as ${APP_KEY} or ${DB_PASSWORD} into page settings. PHP’s parse_ini_string() resolves these patterns, causing the CMS to store and later return sensitive environment variables within a template. This results in the exfiltration of credentials and secrets like database passwords, AWS keys, and application keys, potentially enabling subsequent attacks such as database compromise or cookie forgery.

Affected Systems

OctoberCMS (October CMS) versions earlier than 3.7.14 and 4.1.10 are affected when cms.safe_mode is enabled. The issue requires Editor role access and is confined to the settings parser in these CMS releases.

Risk and Exploitability

The CVSS score of 4.9 indicates a moderate risk. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires legitimate Editor access in a system running cms.safe_mode, after which an attacker can retrieve environment variables that may be used for further credential‑based attacks. The vulnerability does not grant arbitrary code execution.

Generated by OpenCVE AI on April 14, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OctoberCMS to version 3.7.14 or 4.1.10 where the issue is fixed.
  • Restrict the Editor role so that only fully trusted administrators can edit page settings, eliminating the opportunity for malicious input.
  • Ensure that sensitive credentials are not reachable from the web server’s network or exposed through other configuration files.

Generated by OpenCVE AI on April 14, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g6v3-wv4j-x9hg October Rain has Environment Variable Exfiltration via INI Parser Interpolation
History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Octobercms
Octobercms october
Vendors & Products Octobercms
Octobercms october

Tue, 14 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parse_ini_string() function supports ${} syntax for environment variable interpolation, attackers with Editor access could inject patterns such as ${APP_KEY} or ${DB_PASSWORD} into CMS page settings fields, causing sensitive environment variables to be resolved, stored in the template, and returned to the attacker when the page was reopened. This could enable exfiltration of credentials and secrets (database passwords, AWS keys, application keys), potentially leading to further attacks such as database access or cookie forgery. The vulnerability is only relevant when cms.safe_mode is enabled, as direct PHP injection is already possible otherwise. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to immediately upgrade, they can workaround this issue by restricting Editor tool access to fully trusted administrators only, and ensuring database and cloud service credentials are not accessible from the web server's network.
Title October CMS: Environment Variable Exfiltration via INI Parser Interpolation
Weaknesses CWE-200
CWE-94
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Octobercms October
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T14:25:12.276Z

Reserved: 2026-01-29T14:03:42.540Z

Link: CVE-2026-25125

cve-icon Vulnrichment

Updated: 2026-04-15T14:25:07.166Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T21:16:25.163

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-25125

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:41:09Z

Weaknesses