CVE-2026-22692
published 2026-04-14CVE-2026-22692: October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability…
PriorityP337medium6.8CVSS 3.1
AVNACLPRHUINSCCHINAN
EPSS
0.40%
31.4th percentile
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature (CMS_SAFE_MODE). Certain methods on the collect() helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections. Exploitation requires authenticated backend access with CMS template editing permissions and only affects installations with CMS_SAFE_MODE enabled (disabled by default). This issue has been fixed in versions 3.7.13 and 4.1.5. To workaround this issue, users can disable CMS_SAFE_MODE if untrusted template editing is not required, and restrict CMS template editing permissions to fully trusted administrators only.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| october | rain | >= 0 < 3.7.13 | 3.7.13 |
| october | rain | >= 4.0.0 < 4.1.5 | 4.1.5 |
| octobercms | october | < 3.7.13 | 3.7.13 |
| octobercms | october | — | — |
| octobercms | october | >= 4.0.0 < 4.1.5 | 4.1.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
October CMS up to 3.7.12/4.1.4 collect protection mechanism (GHSA-m5qg-jc75-4jp6)
vuldb·2026-04-14·CVSS 4.9
CVE-2026-22692 [MEDIUM] October CMS up to 3.7.12/4.1.4 collect protection mechanism (GHSA-m5qg-jc75-4jp6)
A vulnerability described as problematic has been identified in October CMS up to 3.7.12/4.1.4. This vulnerability affects the function collect. The manipulation results in protection mechanism failure.
This vulnerability was named CVE-2026-22692. The attack may be performed from remote. There is no available exploit.
Upgrading the affected component is recommended.
GHSA
October Rain has a Twig Sandbox Bypass via Collection Methods
ghsa·2026-04-14
CVE-2026-22692 [MEDIUM] CWE-284 October Rain has a Twig Sandbox Bypass via Collection Methods
October Rain has a Twig Sandbox Bypass via Collection Methods
A sandbox bypass vulnerability was identified in the optional Twig safe mode feature (`CMS_SAFE_MODE`). Certain methods on the `collect()` helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections.
### Impact
- Bypass of Twig sandbox restrictions
- Only affects installations with `CMS_SAFE_MODE` enabled (disabled by default)
- Requires authenticated backend access with CMS template editing permissions
### Patches
The vulnerability has been patched in v4.1.5 and v3.7.13. All users who have enabled safe mode are encouraged to upgrade to the latest patched version.
### Workarounds
If upgrading immediately is not possible:
- Disable `CMS_SAFE_MODE` if untrus
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-14
Published