October: Safe Mode Bypass via CSS Preprocessor Compilers_CVE-2026-26067

4.9 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Description

October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10.

Basic Information

ID CVE-2026-26067

Source GitHub_M

Published Apr 21, 2026 at 16:16

Affected Product

Vendor octobercms

Product october

Version >= 4.0.0, < 4.1.10

Affected Versions octobercms october >= 4.0.0, < 4.1.10
octobercms october < 3.7.14

CWE Classification

CWE-863 CWE-184

References

github.com /octobercms/october/security/advisories/GHSA-3888-q23f-x7qh

{
    "lastseen": "",
    "description": "October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10.",
    "published": "2026-04-21T16:16:03.293Z",
    "modified": "2026-04-21T16:16:03.293Z",
    "type": "cve",
    "title": "October: Safe Mode Bypass via CSS Preprocessor Compilers",
    "source": "GitHub_M",
    "references": "https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh",
    "id": "CVE-2026-26067",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863",
        "CWE-184"
    ],
    "cvelist": null,
    "sourceData": "octobercms october >= 4.0.0, < 4.1.10\noctobercms october < 3.7.14",
    "sourceHref": "",
    "cvss": {
        "score": 4.9,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "october",
    "version": ">= 4.0.0, < 4.1.10",
    "vendor": "octobercms",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}