Skip to main content

October CVE-2026-22692

| EUVDEUVD-2026-22357 MEDIUM
Protection Mechanism Failure (CWE-693)
2026-04-14 GitHub_M GHSA-m5qg-jc75-4jp6
4.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Patch released
Apr 15, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 14, 2026 - 18:49 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:00 euvd
EUVD-2026-22357
Analysis Generated
Apr 14, 2026 - 17:00 vuln.today
CVE Published
Apr 14, 2026 - 16:48 nvd
MEDIUM 4.9

DescriptionGitHub Advisory

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature (CMS_SAFE_MODE). Certain methods on the collect() helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections. Exploitation requires authenticated backend access with CMS template editing permissions and only affects installations with CMS_SAFE_MODE enabled (disabled by default). This issue has been fixed in versions 3.7.13 and 4.1.5. To workaround this issue, users can disable CMS_SAFE_MODE if untrusted template editing is not required, and restrict CMS template editing permissions to fully trusted administrators only.

AnalysisAI

Sandbox bypass in October CMS versions prior to 3.7.13 and 4.0.0-4.1.4 allows authenticated users with template editing permissions to bypass the optional Twig safe mode (CMS_SAFE_MODE) protections via unrestricted collect() helper methods. Exploitation requires authenticated backend access with CMS template editing permissions and only affects installations with the non-default CMS_SAFE_MODE feature enabled. Fixed in versions 3.7.13 and 4.1.5.

Technical ContextAI

October CMS is a Laravel-based content management system that optionally supports Twig safe mode via the CMS_SAFE_MODE configuration flag, designed to restrict template functionality for untrusted editors. The vulnerability exists in CMS_SAFE_MODE's sandbox implementation where certain methods on the collect() helper function were not properly restricted by the sandbox enforcer (CWE-693: Improper Restriction of Rendered UI Layers or Frames). This allows authenticated users with template editing permissions to invoke unrestricted methods that escape the intended sandbox boundary. The issue only manifests when CMS_SAFE_MODE is explicitly enabled; by default, this protection is disabled.

RemediationAI

Upgrade to October CMS version 3.7.13 or later (for the 3.x branch) or to version 4.1.5 or later (for the 4.x branch). For systems that cannot be immediately patched, disable CMS_SAFE_MODE if untrusted template editing is not required, and restrict CMS template editing permissions to only fully trusted administrators. Refer to the vendor security advisory at https://github.com/octobercms/october/security/advisories/GHSA-m5qg-jc75-4jp6 for detailed guidance.

CVE-2017-1000119 HIGH POC
7.2 Oct 05

October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise

CVE-2021-3311 CRITICAL POC
9.8 Feb 05

An issue was discovered in October through build 471. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2021-32648 CRITICAL POC
9.1 Aug 26

octobercms in a CMS platform based on the Laravel PHP Framework. Rated critical severity (CVSS 9.1), this vulnerability

CVE-2017-16244 HIGH POC
8.8 Nov 01

Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for po

CVE-2022-21705 HIGH POC
7.2 Feb 23

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Rated high severity (CVSS 7.2), this vulner

CVE-2018-7198 MEDIUM POC
6.1 Feb 18

October CMS through 1.0.431 allows XSS by entering HTML on the Add Posts page. Rated medium severity (CVSS 6.1), this vu

CVE-2017-1000196 CRITICAL
9.8 Nov 17

October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site compromis

CVE-2017-1000197 CRITICAL
9.8 Nov 17

October CMS build 412 is vulnerable to file path modification in asset move functionality resulting in creating creating

CVE-2017-1000194 CRITICAL
9.8 Nov 17

October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site

CVE-2017-15284 MEDIUM POC
5.4 Oct 12

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG fil

CVE-2015-5613 MEDIUM POC
5.4 Sep 28

Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrar

CVE-2023-43876 MEDIUM POC
5.4 Sep 28

A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary w

Share

CVE-2026-22692 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy