CVE-2026-25125
published 2026-04-14CVE-2026-25125: October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability…
PriorityP428medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
EPSS
0.33%
24.3th percentile
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parse_ini_string() function supports ${} syntax for environment variable interpolation, attackers with Editor access could inject patterns such as ${APP_KEY} or ${DB_PASSWORD} into CMS page settings fields, causing sensitive environment variables to be resolved, stored in the template, and returned to the attacker when the page was reopened. This could enable exfiltration of credentials and secrets (database passwords, AWS keys, application keys), potentially leading to further attacks such as database access or cookie forgery. The vulnerability is only relevant when cms.safe_mode is enabled, as direct PHP injection is already possible otherwise. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to immediately upgrade, they can workaround this issue by restricting Editor tool access to fully trusted administrators only, and ensuring database and cloud service credentials are not accessible from the web server's network.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| october | rain | >= 0 < 3.7.14 | 3.7.14 |
| october | rain | >= 4.0.0 < 4.1.10 | 4.1.10 |
| octobercms | october | < 3.7.14 | 3.7.14 |
| octobercms | october | — | — |
| octobercms | october | >= 4.0.0 < 4.1.10 | 4.1.10 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
October CMS up to 3.7.13/4.1.9 Environment Variable parse_ini_string information disclosure (GHSA-g6v3-wv4j-x9hg)
vuldb·2026-04-14·CVSS 4.9
CVE-2026-25125 [MEDIUM] October CMS up to 3.7.13/4.1.9 Environment Variable parse_ini_string information disclosure (GHSA-g6v3-wv4j-x9hg)
A vulnerability classified as problematic has been found in October CMS up to 3.7.13/4.1.9. Affected is the function parse_ini_string of the component Environment Variable Handler. The manipulation leads to information disclosure.
This vulnerability is uniquely identified as CVE-2026-25125. The attack is possible to be carried out remotely. No exploit exists.
It is recommended to upgrade the affected component.
GHSA
October Rain has Environment Variable Exfiltration via INI Parser Interpolation
ghsa·2026-04-14
CVE-2026-25125 [MEDIUM] CWE-200 October Rain has Environment Variable Exfiltration via INI Parser Interpolation
October Rain has Environment Variable Exfiltration via INI Parser Interpolation
A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's `parse_ini_string()` function supports `${}` syntax for environment variable interpolation. Attackers with Editor access could inject `${APP_KEY}`, `${DB_PASSWORD}`, or similar patterns into CMS page settings fields, causing sensitive environment variables to be resolved and stored in the template. These values were then returned to the attacker when the page was reopened.
### Impact
- Exfiltration of sensitive environment variables (APP_KEY, DB credentials, AWS keys, etc.)
- Could enable further attacks: database access, cookie forgery, AWS resource access
- Requires authenticated backend access with Editor pe
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-28368 undertow: Undertow: Request smuggling via inconsistent header parsing
bugzilla·2026-02-27·CVSS 9.1
CVE-2026-28368 [CRITICAL] CVE-2026-28368 undertow: Undertow: Request smuggling via inconsistent header parsing
CVE-2026-28368 undertow: Undertow: Request smuggling via inconsistent header parsing
Undertow splits header names from values on either space or colon, whichever comes first. This allows for the construction of crafted requests with headers that are visible only to Undertow, but not upstream proxies, which can be used to launch request smuggling attacks.
Discussion:
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 8.1
Via RHSA-2026:25126 https://access.redhat.com/errata/RHSA-2026:25126
---
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9
Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8
Via RHSA-2026:25125 https://access.redhat.com/errata/RHSA-2026:
Bugzilla
CVE-2026-28367 undertow: Undertow: Request smuggling via `\r\r\r` as a header block terminator
bugzilla·2026-02-27·CVSS 9.1
CVE-2026-28367 [CRITICAL] CVE-2026-28367 undertow: Undertow: Request smuggling via `\r\r\r` as a header block terminator
CVE-2026-28367 undertow: Undertow: Request smuggling via `\r\r\r` as a header block terminator
Undertow allows `\r\r\r` as a header block terminator. This can be used for request smuggling with proxy servers that forwards this byte sequence, including older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer.
Discussion:
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 8.1
Via RHSA-2026:25126 https://access.redhat.com/errata/RHSA-2026:25126
---
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9
Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8
Via RHSA-2026:25125 https://access.redhat.com/errata/RHSA-2026:25125
2026-04-14
Published