CVE-2026-26274
published 2026-04-21CVE-2026-26274: October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy…
PriorityP337medium6.6CVSS 3.1
AVNACHPRHUINSUCHIHAH
EPSS
0.23%
13.6th percentile
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list. This vulnerability is fixed in 3.7.14 and 4.1.10.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| october | october | >= 0 < 3.7.14 | 3.7.14 |
| october | october | >= 4.0.0 < 4.1.10 | 4.1.10 |
| octobercms | october | < 3.7.14 | 3.7.14 |
| octobercms | october | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
October CMS up to 3.7.13/4.1.9 incomplete blacklist
vuldb·2026-04-21·CVSS 6.6
CVE-2026-26274 [MEDIUM] October CMS up to 3.7.13/4.1.9 incomplete blacklist
A vulnerability labeled as critical has been found in October CMS up to 3.7.13/4.1.9. The impacted element is an unknown function. Such manipulation leads to incomplete blacklist.
This vulnerability is listed as CVE-2026-26274. The attack may be performed from remote. There is no available exploit.
The affected component should be upgraded.
GHSA
October CMS has Safe Mode Bypass via Twig Database Write Operations
ghsa·2026-04-21
CVE-2026-26274 [MEDIUM] CWE-184 October CMS has Safe Mode Bypass via Twig Database Write Operations
October CMS has Safe Mode Bypass via Twig Database Write Operations
A vulnerability was identified in the Twig sandbox security policy that allowed database write operations when `cms.safe_mode` is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list.
### Impact
- Arbitrary database writes including modification or deletion of any table
- Requires authenticated backend access with Developer permissions
- Only relevant when `cms.safe_mode` is enabled (otherwise direct PHP injection is already possible)
### Patches
The vulnerability has been patched in v3.7.14 and v4.1.10. Write operations such as `insert`, `update`, `del
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-21
Published