CVE-2026-26274 — Incomplete List of Disallowed Inputs in October

CWE-184 — Incomplete List of Disallowed Inputs CWE-863 — Incorrect Authorization3 documents3 sources

Severity

6.6MEDIUMNVD

EPSS

0.1%

top 78.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Octobercms October October

Timeline

PublishedApr 21

Description

October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list. This vulnerability is fixed in 3.7.14 and 4.1.10.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.7 | Impact: 5.9

Affected Packages2 packages

▶Packagistoctober/october4.0.0 — 4.1.10+1

▶CVEListV5octobercms/october< 3.7.14+1

🔴Vulnerability Details

VulDB

October CMS up to 3.7.13/4.1.9 incomplete blacklist↗2026-04-21

▶

GHSA

October CMS has Safe Mode Bypass via Twig Database Write Operations↗2026-04-21

▶