SB2026042130 - Multiple vulnerabilities in October CMS

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improper access control (CVE-ID: CVE-2026-29179)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to manipulate asset or blueprint files and disclose directory structure information.

The vulnerability exists due to improper access control in the CMS and Tailor editor extensions when handling asset and blueprint file operations and Tailor navigation checks. A remote privileged user can perform create, delete, rename, move, or upload operations on theme assets or blueprint files, or view the theme blueprint navigation tree, to manipulate asset or blueprint files and disclose directory structure information.

This only affects backend users with editor access who were specifically denied the editor.cms_assets or editor.tailor_blueprints sub-permissions.

2) Cross-site scripting (CVE-ID: CVE-2026-27937)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in the backend DataTable widget when rendering a query parameter in a backend URL. A remote attacker can send a specially crafted URL to execute arbitrary script in the victim's browser.

User interaction is required, and the attacker must know or guess the customized backend URL prefix.

Remediation

Install update from vendor's website.

References

• https://github.com/octobercms/october/security/advisories/GHSA-jvwg-phxx-j3rp
• https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf