SB2026041437 - Multiple vulnerabilities in October CMS

Description

This security bulletin contains information about 6 vulnerabilities.

1) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2026-25133)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to improper neutralization of script-related html tags in the SVG sanitization logic when processing uploaded SVG files through the Media Manager. A remote user can upload a specially crafted SVG file to execute arbitrary script in a victim's browser.

User interaction is required because the uploaded SVG must be viewed or embedded in a page to trigger.

2) Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CVE-ID: CVE-2026-25125)

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper neutralization of special elements in the INI settings parser when processing page settings fields containing environment variable interpolation syntax. A remote privileged user can inject crafted ${} patterns into CMS page settings fields to disclose sensitive information.

Only instances with cms.safe_mode enabled are affected.

3) Stored cross-site scripting (CVE-ID: CVE-2026-24906)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in the backend editor markup classes fields when rendering stored markup class values in RichEditor dropdown menus. A remote user can inject a malicious markup class value to execute arbitrary script in a victim's browser.

Exploitation requires authenticated backend access with editor settings permissions and is triggered when a user opens a RichEditor.

4) Stored cross-site scripting (CVE-ID: CVE-2026-24907)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary JavaScript in the viewer's browser context.

The vulnerability exists due to cross-site scripting in the Event Log mail preview feature when rendering logged mail messages. A remote user can create a malicious mail template content entry to execute arbitrary JavaScript in the viewer's browser context.

Exploitation requires authenticated backend access with mail template editing permissions, and user interaction is required when a superuser views the specific Event Log entry.

5) Improper access control (CVE-ID: CVE-2026-26274)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to modify or delete arbitrary database data.

The vulnerability exists due to improper access control in the Twig sandbox security policy when processing Twig template markup with query builder access. A remote privileged user can execute insert, update, delete, or truncate operations on database tables to modify or delete arbitrary database data.

Only instances with cms.safe_mode enabled are vulnerable.

6) Improper access control (CVE-ID: CVE-2026-26067)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in CSS preprocessor compilers when processing crafted .less, .sass, or .scss files. A remote privileged user can leverage the compiler import functionality to read arbitrary files from the server to disclose sensitive information.

Only backend users with Editor permissions can exploit this issue, and it is relevant only when cms.safe_mode is enabled.

Remediation

Install update from vendor's website.

References

• https://github.com/octobercms/october/security/advisories/GHSA-gcqv-f29m-67gr
• https://github.com/octobercms/october/security/advisories/GHSA-g6v3-wv4j-x9hg
• https://github.com/octobercms/october/security/advisories/GHSA-6qmh-j78v-ffp7
• https://github.com/octobercms/october/security/advisories/GHSA-j4j5-9x6g-rgxc
• https://github.com/octobercms/october/security/advisories/GHSA-h6jm-f4hh-fw27
• https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh