CVE-2026-26067
published 2026-04-21CVE-2026-26067: October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in…
PriorityP429medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
EPSS
0.25%
15.7th percentile
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| october | system | >= 0 < 3.7.14 | 3.7.14 |
| october | system | >= 4.0.0 < 4.1.10 | 4.1.10 |
| octobercms | october | < 3.7.14 | 3.7.14 |
| octobercms | october | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
October CMS has Safe Mode Bypass via CSS Preprocessor Compilers
ghsa·2026-04-21
CVE-2026-26067 [MEDIUM] CWE-200 October CMS has Safe Mode Bypass via CSS Preprocessor Compilers
October CMS has Safe Mode Bypass via CSS Preprocessor Compilers
A server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft `.less`, `.sass`, or `.scss` files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with `cms.safe_mode` enabled.
### Impact
- Potential exposure of sensitive server-side files
- Requires authenticated backend access with Editor permissions
- Only relevant when `cms.safe_mode` is enabled (otherwise direct PHP injection is already possible)
### Patches
The vulnerability has been patched in v3.7.14 and v4.1.10. When `cms.safe_mode` is enabled, `.less`, `.sass`, and `.scss` files can no longer be created, uploade
VulDB
October CMS up to 3.7.13/4.1.9 CSS Preprocessor File authorization
vuldb·2026-04-21·CVSS 4.9
CVE-2026-26067 [MEDIUM] October CMS up to 3.7.13/4.1.9 CSS Preprocessor File authorization
A vulnerability, which was classified as problematic, was found in October CMS up to 3.7.13/4.1.9. This affects an unknown part of the component CSS Preprocessor File Handler. Such manipulation leads to incorrect authorization.
This vulnerability is traded as CVE-2026-26067. The attack may be launched remotely. There is no exploit available.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-21
Published