CVE-2026-26274
Received Received - Intake
SQL Injection via Twig Sandbox in October CMS Backend

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list. This vulnerability is fixed in 3.7.14 and 4.1.10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-26274
EUVD
EUVD-2026-24155
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
octobercms october to 3.7.14 (exc)
octobercms october to 4.1.10 (exc)
octobercms system to 3.7.14 (exc)
octobercms system to 4.1.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26274 is a vulnerability in the OctoberCMS platform affecting versions prior to 3.7.14 and 4.1.10. It stems from a flaw in the Twig sandbox security policy that allows backend users with Developer permissions to perform database write operations such as insert, update, delete, and truncate using Twig template markup. This is possible because the query builder was mistakenly included in the sandbox allow-list, enabling these operations even when the cms.safe_mode setting is enabled.

The vulnerability requires authenticated backend access with Developer privileges and has a moderate severity with a CVSS score of 6.6. It is fixed in versions 3.7.14 and 4.1.10 by blocking write operations on query builder and model objects within the Twig sandbox.

Impact Analysis

This vulnerability can allow an attacker with Developer backend access to arbitrarily modify or delete database content by executing insert, update, delete, or truncate operations through Twig templates. This can lead to data corruption, loss of data integrity, and potential disruption of service availability.

Because the attack requires high privileges and authenticated access, the risk is limited to trusted backend users, but if exploited, it can severely impact the confidentiality, integrity, and availability of the affected system's data.

Detection Guidance

Detection of this vulnerability involves verifying the version of OctoberCMS and checking if the cms.safe_mode setting is enabled. Specifically, versions up to 3.7.13 and 4.1.9 are vulnerable.

Since the vulnerability requires authenticated backend access with Developer permissions, monitoring for unusual database write operations initiated via Twig templates could indicate exploitation attempts.

No specific detection commands are provided in the available resources.

Mitigation Strategies

The primary mitigation is to upgrade OctoberCMS to version 3.7.14 or 4.1.10 or later, where the vulnerability is fixed.

If upgrading immediately is not feasible, restrict Developer tool access to fully trusted administrators to reduce the risk of exploitation.

Additionally, consider disabling cms.safe_mode if it is not required, as the vulnerability only applies when this mode is enabled.

Compliance Impact

This vulnerability allows backend users with Developer permissions to perform arbitrary database write operations, including insert, update, and delete actions, which can lead to unauthorized modification or deletion of sensitive data.

Such unauthorized data manipulation can compromise the confidentiality, integrity, and availability of data, potentially violating compliance requirements under standards like GDPR and HIPAA that mandate strict controls over data access and protection.

Mitigating this vulnerability by upgrading to patched versions or restricting Developer access is critical to maintaining compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26274. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart