Description
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10.
Published: 2026-04-21
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Safe Mode Bypass
Action: Patch
AI Analysis

Impact

October CMS allows backend users with Editor permissions to upload .less, .sass, or .scss files that the compiler’s import feature processes. By specifying import paths, these files can read arbitrary files on the server, even when the safe_mode setting is enabled. The vulnerability is a server‑side information disclosure that enables an attacker to exfiltrate sensitive configuration, source code, or other private data without executing arbitrary code.

Affected Systems

Octobercms October CMS versions earlier than 3.7.14 and 4.1.10 are affected. The issue is mitigated in October CMS 3.7.14 and 4.1.10 and later releases.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a valid backend Editor account; an attacker who can upload a crafted preprocessor file can read any file the web server can access. The CVE data does not specify whether public exploitation has occurred, so the current exploitation status is unknown.

Generated by OpenCVE AI on April 22, 2026 at 03:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to October CMS 3.7.14 or 4.1.10 to apply the official fix
  • Limit Editor permissions to non‑file‑uploading roles or remove the ability to upload CSS preprocessor files
  • Monitor server logs for unexpected import operations and alert on repeated attempts to access sensitive file paths

Generated by OpenCVE AI on April 22, 2026 at 03:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3888-q23f-x7qh October CMS has Safe Mode Bypass via CSS Preprocessor Compilers
History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Octobercms
Octobercms october
Vendors & Products Octobercms
Octobercms october

Tue, 21 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10.
Title October: Safe Mode Bypass via CSS Preprocessor Compilers
Weaknesses CWE-184
CWE-863
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Octobercms October
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T17:35:19.882Z

Reserved: 2026-02-10T18:01:31.900Z

Link: CVE-2026-26067

cve-icon Vulnrichment

Updated: 2026-04-21T17:35:13.271Z

cve-icon NVD

Status : Received

Published: 2026-04-21T17:16:24.383

Modified: 2026-04-21T17:16:24.383

Link: CVE-2026-26067

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T03:15:06Z

Weaknesses