Skip to main content

October CMS EUVDEUVD-2026-24153

| CVE-2026-26067 MEDIUM
Incorrect Authorization (CWE-863)
2026-04-21 GitHub_M GHSA-3888-q23f-x7qh
4.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
Apr 22, 2026 - 21:08 nvd
Patch available
Patch available
Apr 21, 2026 - 18:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:00 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 16:30 euvd
EUVD-2026-24153
Analysis Generated
Apr 21, 2026 - 16:30 vuln.today
CVE Published
Apr 21, 2026 - 16:16 nvd
MEDIUM 4.9

DescriptionGitHub Advisory

October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10.

AnalysisAI

October CMS versions prior to 3.7.14 and 4.1.10 allow authenticated backend users with Editor permissions to read arbitrary server files by crafting malicious CSS preprocessor files (.less, .sass, .scss) that exploit the compiler's import functionality. The vulnerability persists even when cms.safe_mode is enabled, enabling high-confidence information disclosure of sensitive configuration files, credentials, and application source code without requiring administrative privileges.

Technical ContextAI

October CMS processes CSS preprocessor files (LESS, SASS, SCSS) through server-side compilers that support import directives. The vulnerability exists in the preprocessor compiler integration layer, which fails to adequately sandbox or restrict file system access when resolving import statements. The CWE-863 classification indicates improper authorization - specifically, the system fails to enforce proper access controls on file operations initiated through preprocessor compilation, allowing the compiler's native import mechanism (which typically has broad file system access) to be weaponized by lower-privileged users. This occurs at the intersection of user-supplied preprocessor syntax and privileged compiler execution, where the cms.safe_mode mitigation does not extend to preprocessor file handling.

RemediationAI

Upgrade October CMS to version 3.7.14 (for 3.x users) or 4.1.10 (for 4.x users) or later immediately. These versions include patched CSS preprocessor file handling that enforces proper file system access controls. If immediate patching is not feasible, implement compensating controls: (1) Restrict Editor role assignments to trusted personnel only - audit and remove unnecessary Editor permissions from user accounts; (2) Disable CSS preprocessor compilation features if not required for your workflow, reducing the attack surface; (3) Implement file system access controls at the OS level to prevent the web server process from reading sensitive files outside the application directory (e.g., /etc/passwd, database credential files) - this does not eliminate the vulnerability but limits data exposure; (4) Monitor and audit all .less, .sass, and .scss file uploads and compilations through backend logs. Note that cms.safe_mode does not mitigate this vulnerability - do not rely on it as a control. Upgrade is the only fully effective remedy. Detailed patching instructions are provided in the GitHub advisory.

CVE-2017-1000119 HIGH POC
7.2 Oct 05

October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise

CVE-2021-3311 CRITICAL POC
9.8 Feb 05

An issue was discovered in October through build 471. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2021-32648 CRITICAL POC
9.1 Aug 26

octobercms in a CMS platform based on the Laravel PHP Framework. Rated critical severity (CVSS 9.1), this vulnerability

CVE-2017-16244 HIGH POC
8.8 Nov 01

Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for po

CVE-2022-21705 HIGH POC
7.2 Feb 23

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Rated high severity (CVSS 7.2), this vulner

CVE-2018-7198 MEDIUM POC
6.1 Feb 18

October CMS through 1.0.431 allows XSS by entering HTML on the Add Posts page. Rated medium severity (CVSS 6.1), this vu

CVE-2017-1000196 CRITICAL
9.8 Nov 17

October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site compromis

CVE-2017-1000197 CRITICAL
9.8 Nov 17

October CMS build 412 is vulnerable to file path modification in asset move functionality resulting in creating creating

CVE-2017-1000194 CRITICAL
9.8 Nov 17

October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site

CVE-2017-15284 MEDIUM POC
5.4 Oct 12

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG fil

CVE-2015-5613 MEDIUM POC
5.4 Sep 28

Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrar

CVE-2023-43876 MEDIUM POC
5.4 Sep 28

A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary w

Share

EUVD-2026-24153 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy