GHSA-M5QG-JC75-4JP6

Vulnerability from github – Published: 2026-04-14 20:02 – Updated: 2026-04-14 20:02
VLAI?
Summary
October Rain has a Twig Sandbox Bypass via Collection Methods
Details

A sandbox bypass vulnerability was identified in the optional Twig safe mode feature (CMS_SAFE_MODE). Certain methods on the collect() helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections.

Impact

  • Bypass of Twig sandbox restrictions
  • Only affects installations with CMS_SAFE_MODE enabled (disabled by default)
  • Requires authenticated backend access with CMS template editing permissions

Patches

The vulnerability has been patched in v4.1.5 and v3.7.13. All users who have enabled safe mode are encouraged to upgrade to the latest patched version.

Workarounds

If upgrading immediately is not possible: - Disable CMS_SAFE_MODE if untrusted template editing is not required - Restrict CMS template editing permissions to fully trusted administrators only

References

  • Reported by Łukasz Rybak
Severity ?
4.9 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.1.4"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "october/rain"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.7.12"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "october/rain"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.7.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22692"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T20:02:05Z",
    "nvd_published_at": "2026-04-14T17:16:28Z",
    "severity": "MODERATE"
  },
  "details": "A sandbox bypass vulnerability was identified in the optional Twig safe mode feature (`CMS_SAFE_MODE`). Certain methods on the `collect()` helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections.\n\n### Impact\n- Bypass of Twig sandbox restrictions\n- Only affects installations with `CMS_SAFE_MODE` enabled (disabled by default)\n- Requires authenticated backend access with CMS template editing permissions\n\n### Patches\nThe vulnerability has been patched in v4.1.5 and v3.7.13. All users who have enabled safe mode are encouraged to upgrade to the latest patched version.\n\n### Workarounds\nIf upgrading immediately is not possible:\n- Disable `CMS_SAFE_MODE` if untrusted template editing is not required\n- Restrict CMS template editing permissions to fully trusted administrators only\n\n### References\n- Reported by \u0141ukasz Rybak",
  "id": "GHSA-m5qg-jc75-4jp6",
  "modified": "2026-04-14T20:02:05Z",
  "published": "2026-04-14T20:02:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october/security/advisories/GHSA-m5qg-jc75-4jp6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22692"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/octobercms/october"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "October Rain has a Twig Sandbox Bypass via Collection Methods"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.