CVE-2026-22692Improper Access Control in October

CWE-284Improper Access ControlCWE-693Protection Mechanism Failure3 documents3 sources
Severity
4.9MEDIUMNVD
EPSS
0.0%
top 95.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Octobercms OctoberOctober Rain
Timeline
PublishedApr 14

Description

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature (CMS_SAFE_MODE). Certain methods on the collect() helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections. Exploitation requires authenticated backend access with CMS template editing permissions and only affects installations

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

Packagistoctober/rain4.0.04.1.5+1
CVEListV5octobercms/october< 3.7.13+1

🔴Vulnerability Details

2
VulDB
October CMS up to 3.7.12/4.1.4 collect protection mechanism (GHSA-m5qg-jc75-4jp6)2026-04-14
GHSA
October Rain has a Twig Sandbox Bypass via Collection Methods2026-04-14