GHSA-3888-Q23F-X7QH

Vulnerability from github – Published: 2026-04-21 16:43 – Updated: 2026-04-21 16:43
VLAI?
Summary
October CMS has Safe Mode Bypass via CSS Preprocessor Compilers
Details

A server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled.

Impact

  • Potential exposure of sensitive server-side files
  • Requires authenticated backend access with Editor permissions
  • Only relevant when cms.safe_mode is enabled (otherwise direct PHP injection is already possible)

Patches

The vulnerability has been patched in v3.7.14 and v4.1.10. When cms.safe_mode is enabled, .less, .sass, and .scss files can no longer be created, uploaded, or edited across the CMS editor, media manager, and file upload interfaces. All users are encouraged to upgrade to the latest patched version.

Workarounds

If upgrading immediately is not possible: - Set cms.editable_asset_types config to ['css', 'js'] to remove preprocessor file types from the editor - Restrict Editor tool access to fully trusted administrators only

Severity ?
4.9 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "october/system"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.7.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "october/system"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.1.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26067"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-21T16:43:49Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "A server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft `.less`, `.sass`, or `.scss` files that leverage the compiler\u0027s import functionality to read arbitrary files from the server. This worked even with `cms.safe_mode` enabled.\n\n### Impact\n- Potential exposure of sensitive server-side files\n- Requires authenticated backend access with Editor permissions\n- Only relevant when `cms.safe_mode` is enabled (otherwise direct PHP injection is already possible)\n\n### Patches\nThe vulnerability has been patched in v3.7.14 and v4.1.10. When `cms.safe_mode` is enabled, `.less`, `.sass`, and `.scss` files can no longer be created, uploaded, or edited across the CMS editor, media manager, and file upload interfaces. All users are encouraged to upgrade to the latest patched version.\n\n### Workarounds\nIf upgrading immediately is not possible:\n- Set `cms.editable_asset_types` config to `[\u0027css\u0027, \u0027js\u0027]` to remove preprocessor file types from the editor\n- Restrict Editor tool access to fully trusted administrators only\n\n- Reported by [Chris Alupului](https://github.com/neosprings)",
  "id": "GHSA-3888-q23f-x7qh",
  "modified": "2026-04-21T16:43:49Z",
  "published": "2026-04-21T16:43:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/octobercms/october"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "October CMS has Safe Mode Bypass via CSS Preprocessor Compilers"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.