CVE-2026-26067
Received Received - Intake
Information Disclosure via CSS Preprocessor in October CMS Editors

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26067
EUVD
EUVD-2026-24153
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
octobercms october to 3.7.14 (exc)
octobercms october to 4.1.10 (exc)
octobercms system to 3.7.13 (exc)
octobercms system to 4.1.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26067 is a server-side information disclosure vulnerability in OctoberCMS affecting versions prior to 3.7.14 and 4.1.10. It arises from improper handling of CSS preprocessor files (.less, .sass, .scss) by the CMS backend.

Specifically, backend users with Editor permissions can exploit the import functionality of these CSS preprocessor files to read arbitrary files on the server, even when the cms.safe_mode configuration is enabled, which was intended to prevent such actions.

This means that an authenticated user with Editor-level access can bypass restrictions and access sensitive server files by crafting malicious CSS preprocessor files.

Impact Analysis

This vulnerability impacts the confidentiality of the system by allowing an authenticated Editor user to read arbitrary files on the server.

An attacker exploiting this flaw could access sensitive information stored on the server, such as configuration files, credentials, or other private data.

The vulnerability does not affect the integrity or availability of the system, but the exposure of confidential data could lead to further attacks or data breaches.

Detection Guidance

Detection of this vulnerability involves verifying the version of OctoberCMS and checking the configuration related to CSS preprocessor file handling.

  • Check the OctoberCMS system package version to see if it is older than 3.7.14 or 4.1.10.
  • Verify if the cms.safe_mode configuration is enabled, as the vulnerability only applies when safe mode is active.
  • Review backend user permissions to identify if any users have Editor-level access.

Specific commands depend on your environment, but example commands include:

  • To check the OctoberCMS version via command line (if composer is used): composer show october/system
  • To check the cms.safe_mode setting, inspect the configuration file (e.g., config/cms.php) or run: php artisan config:show cms.safe_mode
  • To list users with Editor permissions, query the database or use backend user management commands depending on your setup.
Mitigation Strategies

Immediate mitigation steps include upgrading the OctoberCMS system package and applying configuration changes to restrict the handling of CSS preprocessor files.

  • Upgrade OctoberCMS to version 3.7.14 or 4.1.10 or later, where the vulnerability is fixed.
  • If upgrading immediately is not possible, configure cms.editable_asset_types to exclude .less, .sass, and .scss files by setting it to ['css', 'js'].
  • Restrict Editor tool access to fully trusted administrators only to reduce the risk of exploitation.
  • Disable creation, upload, and editing of .less, .sass, and .scss files in the CMS editor, media manager, and file upload interfaces when cms.safe_mode is enabled.
Compliance Impact

This vulnerability allows authenticated backend users with Editor permissions to read arbitrary files on the server, leading to a high impact on confidentiality.

Since the vulnerability compromises confidentiality by exposing potentially sensitive information stored on the server, it could negatively affect compliance with data protection standards and regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.

Organizations using affected versions of OctoberCMS should apply the patches or workarounds promptly to maintain compliance and protect sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26067. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart