CVE-2026-25125Code Injection in October

CWE-94Code InjectionCWE-200Sensitive Information Exposure3 documents3 sources
Severity
4.9MEDIUMNVD
EPSS
0.0%
top 97.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Octobercms OctoberOctober Rain
Timeline
PublishedApr 14

Description

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parse_ini_string() function supports ${} syntax for environment variable interpolation, attackers with Editor access could inject patterns such as ${APP_KEY} or ${DB_PASSWORD} into CMS page settings fields, causing sensitive environment variables to be resolved, stored in the template, and returned

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

Packagistoctober/rain4.0.04.1.10+1
CVEListV5octobercms/october< 3.7.14+1

🔴Vulnerability Details

2
VulDB
October CMS up to 3.7.13/4.1.9 Environment Variable parse_ini_string information disclosure (GHSA-g6v3-wv4j-x9hg)2026-04-14
GHSA
October Rain has Environment Variable Exfiltration via INI Parser Interpolation2026-04-14