CVE-2026-26274
SQL Injection via Twig Sandbox in October CMS Backend
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| octobercms | october | to 3.7.14 (exc) |
| octobercms | october | to 4.1.10 (exc) |
| octobercms | system | to 3.7.14 (exc) |
| octobercms | system | to 4.1.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows backend users with Developer permissions to perform arbitrary database write operations, including insert, update, and delete actions, which can lead to unauthorized modification or deletion of sensitive data.
Such unauthorized data manipulation can compromise the confidentiality, integrity, and availability of data, potentially violating compliance requirements under standards like GDPR and HIPAA that mandate strict controls over data access and protection.
Mitigating this vulnerability by upgrading to patched versions or restricting Developer access is critical to maintaining compliance with these regulations.
Can you explain this vulnerability to me?
CVE-2026-26274 is a vulnerability in the OctoberCMS platform affecting versions prior to 3.7.14 and 4.1.10. It stems from a flaw in the Twig sandbox security policy that allows backend users with Developer permissions to perform database write operations such as insert, update, delete, and truncate using Twig template markup. This is possible because the query builder was mistakenly included in the sandbox allow-list, enabling these operations even when the cms.safe_mode setting is enabled.
The vulnerability requires authenticated backend access with Developer privileges and has a moderate severity with a CVSS score of 6.6. It is fixed in versions 3.7.14 and 4.1.10 by blocking write operations on query builder and model objects within the Twig sandbox.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with Developer backend access to arbitrarily modify or delete database content by executing insert, update, delete, or truncate operations through Twig templates. This can lead to data corruption, loss of data integrity, and potential disruption of service availability.
Because the attack requires high privileges and authenticated access, the risk is limited to trusted backend users, but if exploited, it can severely impact the confidentiality, integrity, and availability of the affected system's data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying the version of OctoberCMS and checking if the cms.safe_mode setting is enabled. Specifically, versions up to 3.7.13 and 4.1.9 are vulnerable.
Since the vulnerability requires authenticated backend access with Developer permissions, monitoring for unusual database write operations initiated via Twig templates could indicate exploitation attempts.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade OctoberCMS to version 3.7.14 or 4.1.10 or later, where the vulnerability is fixed.
If upgrading immediately is not feasible, restrict Developer tool access to fully trusted administrators to reduce the risk of exploitation.
Additionally, consider disabling cms.safe_mode if it is not required, as the vulnerability only applies when this mode is enabled.