{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26067", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-10T18:01:31.900Z", "datePublished": "2026-04-21T16:16:03.293Z", "dateUpdated": "2026-04-21T17:35:19.882Z"}, "containers": {"cna": {"title": "October: Safe Mode Bypass via CSS Preprocessor Compilers", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-184", "lang": "en", "description": "CWE-184: Incomplete List of Disallowed Inputs", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh"}], "affected": [{"vendor": "octobercms", "product": "october", "versions": [{"version": ">= 4.0.0, < 4.1.10", "status": "affected"}, {"version": "< 3.7.14", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:16:03.293Z"}, "descriptions": [{"lang": "en", "value": "October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10."}], "source": {"advisory": "GHSA-3888-q23f-x7qh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T17:35:10.591022Z", "id": "CVE-2026-26067", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T17:35:19.882Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26067", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T17:35:10.591022Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T17:35:13.271Z"}}], "cna": {"title": "October: Safe Mode Bypass via CSS Preprocessor Compilers", "source": {"advisory": "GHSA-3888-q23f-x7qh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "octobercms", "product": "october", "versions": [{"status": "affected", "version": ">= 4.0.0, < 4.1.10"}, {"status": "affected", "version": "< 3.7.14"}]}], "references": [{"url": "https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh", "name": "https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-184", "description": "CWE-184: Incomplete List of Disallowed Inputs"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:16:03.293Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26067", "state": "PUBLISHED", "dateUpdated": "2026-04-21T17:35:19.882Z", "dateReserved": "2026-02-10T18:01:31.900Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T16:16:03.293Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10."}], "id": "CVE-2026-26067", "lastModified": "2026-04-21T17:16:24.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:24.383", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-184"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.1.10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.7.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "october", "source": "cna", "vendor": "octobercms"}, "product": "october", "vendor": "octobercms"}], "analysis": {"en": {"generated_at": "2026-04-22T03:03:58.643146+00:00", "value": {"mitigation_remediation": ["Upgrade to October CMS 3.7.14 or 4.1.10 to apply the official fix", "Limit Editor permissions to non\u2011file\u2011uploading roles or remove the ability to upload CSS preprocessor files", "Monitor server logs for unexpected import operations and alert on repeated attempts to access sensitive file paths"], "summary": {"action": "Patch", "impact": "Information Disclosure via Safe Mode Bypass"}, "threat_synthesis": {"affected_systems": "Octobercms October CMS versions earlier than 3.7.14 and 4.1.10 are affected. The issue is mitigated in October CMS 3.7.14 and 4.1.10 and later releases.", "description_and_impact": "October CMS allows backend users with Editor permissions to upload .less, .sass, or .scss files that the compiler\u2019s import feature processes. By specifying import paths, these files can read arbitrary files on the server, even when the safe_mode setting is enabled. The vulnerability is a server\u2011side information disclosure that enables an attacker to exfiltrate sensitive configuration, source code, or other private data without executing arbitrary code.", "risk_and_exploitability": "The CVSS score of 4.9 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires a valid backend Editor account; an attacker who can upload a crafted preprocessor file can read any file the web server can access. The CVE data does not specify whether public exploitation has occurred, so the current exploitation status is unknown."}}}}, "created": "2026-04-21T17:30:37.394671+00:00", "updated": "2026-04-22T03:15:06.407663+00:00", "vendors": ["octobercms", "octobercms$PRODUCT$october"]}