cbcvebase.
CVE-2026-26067
published 2026-04-21

CVE-2026-26067: October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in…

PriorityP429medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
EPSS
0.25%
15.7th percentile
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10.

Affected

4 ranges
VendorProductVersion rangeFixed in
octobersystem>= 0 < 3.7.143.7.14
octobersystem>= 4.0.0 < 4.1.104.1.10
octobercmsoctober< 3.7.143.7.14
octobercmsoctober
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.