{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26274", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-12T17:10:53.413Z", "datePublished": "2026-04-21T16:16:06.488Z", "dateUpdated": "2026-04-21T19:16:38.739Z"}, "containers": {"cna": {"title": "October: Safe Mode Bypass via Twig Database Write Operations", "problemTypes": [{"descriptions": [{"cweId": "CWE-184", "lang": "en", "description": "CWE-184: Incomplete List of Disallowed Inputs", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/octobercms/october/security/advisories/GHSA-h6jm-f4hh-fw27", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/octobercms/october/security/advisories/GHSA-h6jm-f4hh-fw27"}], "affected": [{"vendor": "octobercms", "product": "october", "versions": [{"version": ">= 4.0.0, < 4.1.10", "status": "affected"}, {"version": "< 3.7.14", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:16:06.488Z"}, "descriptions": [{"lang": "en", "value": "October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list. This vulnerability is fixed in 3.7.14 and 4.1.10."}], "source": {"advisory": "GHSA-h6jm-f4hh-fw27", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:16:28.731190Z", "id": "CVE-2026-26274", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:16:38.739Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26274", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T19:16:28.731190Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:16:35.413Z"}}], "cna": {"title": "October: Safe Mode Bypass via Twig Database Write Operations", "source": {"advisory": "GHSA-h6jm-f4hh-fw27", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "octobercms", "product": "october", "versions": [{"status": "affected", "version": ">= 4.0.0, < 4.1.10"}, {"status": "affected", "version": "< 3.7.14"}]}], "references": [{"url": "https://github.com/octobercms/october/security/advisories/GHSA-h6jm-f4hh-fw27", "name": "https://github.com/octobercms/october/security/advisories/GHSA-h6jm-f4hh-fw27", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list. This vulnerability is fixed in 3.7.14 and 4.1.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-184", "description": "CWE-184: Incomplete List of Disallowed Inputs"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:16:06.488Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26274", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:16:38.739Z", "dateReserved": "2026-02-12T17:10:53.413Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T16:16:06.488Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list. This vulnerability is fixed in 3.7.14 and 4.1.10."}], "id": "CVE-2026-26274", "lastModified": "2026-04-22T21:08:48.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:30.667", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/octobercms/october/security/advisories/GHSA-h6jm-f4hh-fw27"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-184"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.1.10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.7.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "october", "source": "cna", "vendor": "octobercms"}, "product": "october", "vendor": "octobercms"}], "analysis": {"en": {"generated_at": "2026-04-21T22:42:11.953293+00:00", "value": {"mitigation_remediation": ["Upgrade October CMS to 3.7.14 or later, or 4.1.10 or later, which removes the permissive sandbox entry", "If upgrading is not immediately feasible, disable cms.safe_mode unless its functionality is absolutely required", "Limit backend users to the minimal necessary roles; avoid assigning the Developer role to untrusted personnel"], "summary": {"action": "Immediate Patch", "impact": "Data Integrity Compromise"}, "threat_synthesis": {"affected_systems": "October CMS versions older than 3.7.14 or 4.1.10 are affected. The issue exists in the core October product when the cms.safe_mode configuration is enabled.", "description_and_impact": "October CMS allows backend users with Developer permission to write to any database table through Twig template markup when safe mode is enabled. The vulnerability stems from an overly permissive sandbox allow\u2011list that includes the query builder, permitting insert, update, and delete operations. An attacker who can exploit this can alter, delete, or corrupt website data, compromising data integrity and potentially enabling further malicious actions.", "risk_and_exploitability": "The CVSS score of 6.6 indicates moderate severity. EPSS data is unavailable, so the likelihood of exploitation is uncertain. The vulnerability is not listed in CISA\u2019s KEV catalog. Likely attack vectors involve a legitimate developer with backend access who can inject Twig code; no additional network-level access is required."}}}}, "created": "2026-04-21T18:30:27.392096+00:00", "updated": "2026-04-21T22:45:16.063471+00:00", "vendors": ["octobercms", "octobercms$PRODUCT$october"]}