CVE-2026-26274
October: Safe Mode Bypass via Twig Database Write Operations
CVSS Score
6.6
EPSS Score
0.0%
EPSS Percentile
0th
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list. This vulnerability is fixed in 3.7.14 and 4.1.10.
| CWE | CWE-184 CWE-863 |
| Vendor | octobercms |
| Product | october |
| Published | Apr 21, 2026 |
Stay Ahead of the Next One
Get instant alerts for octobercms october
Be the first to know when new medium vulnerabilities affecting octobercms october are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
octobercms / october
>= 4.0.0, < 4.1.10 < 3.7.14