Description
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list. This vulnerability is fixed in 3.7.14 and 4.1.10.
Published: 2026-04-21
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Integrity Compromise
Action: Immediate Patch
AI Analysis

Impact

October CMS allows backend users with Developer permission to write to any database table through Twig template markup when safe mode is enabled. The vulnerability stems from an overly permissive sandbox allow‑list that includes the query builder, permitting insert, update, and delete operations. An attacker who can exploit this can alter, delete, or corrupt website data, compromising data integrity and potentially enabling further malicious actions.

Affected Systems

October CMS versions older than 3.7.14 or 4.1.10 are affected. The issue exists in the core October product when the cms.safe_mode configuration is enabled.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate severity. EPSS data is unavailable, so the likelihood of exploitation is uncertain. The vulnerability is not listed in CISA’s KEV catalog. Likely attack vectors involve a legitimate developer with backend access who can inject Twig code; no additional network-level access is required.

Generated by OpenCVE AI on April 21, 2026 at 22:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade October CMS to 3.7.14 or later, or 4.1.10 or later, which removes the permissive sandbox entry
  • If upgrading is not immediately feasible, disable cms.safe_mode unless its functionality is absolutely required
  • Limit backend users to the minimal necessary roles; avoid assigning the Developer role to untrusted personnel

Generated by OpenCVE AI on April 21, 2026 at 22:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h6jm-f4hh-fw27 October CMS has Safe Mode Bypass via Twig Database Write Operations
History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Octobercms
Octobercms october
Vendors & Products Octobercms
Octobercms october
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list. This vulnerability is fixed in 3.7.14 and 4.1.10.
Title October: Safe Mode Bypass via Twig Database Write Operations
Weaknesses CWE-184
CWE-863
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Octobercms October
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:16:38.739Z

Reserved: 2026-02-12T17:10:53.413Z

Link: CVE-2026-26274

cve-icon Vulnrichment

Updated: 2026-04-21T19:16:35.413Z

cve-icon NVD

Status : Deferred

Published: 2026-04-21T17:16:30.667

Modified: 2026-04-22T21:08:48.550

Link: CVE-2026-26274

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:45:16Z

Weaknesses