CVE-2026-26067 MEDIUM

CVE-2026-26067: October: Safe Mode Bypass via CSS Preprocessor Compilers

Vendor Octobercms
Product october
Weakness CWE-863 · Incorrect authorization
Published April 21, 2026
Last update April 21, 2026
View on NVD All CVEs

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10.

Key dates

02Disclosure timeline

April 21, 2026 CVE published
April 21, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-34453 SiYuan: Broken access control in /api/bookmark/getBookmark allows unauthenticated publish visitors to read password-protected bookmarked content CVE-2026-33551 CVE-2026-41404 OpenClaw < 2026.3.31 - Operator Admin Privilege Escalation via Trusted-Proxy Authentication CVE-2026-45042 RustFS: UploadPartCopy Does Not Enforce Destination Bucket Policy on Copy Source CVE-2022-23741 Incorrect authorization in GitHub Enterprise Server token generation leading to full admin access