Main Vulnerability Database Vulnerabilities #VU125889

#VU125889 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in October CMS - CVE-2026-25125

Published: April 14, 2026

Vulnerability identifier: #VU125889

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-25125

CWE-ID: CWE-74

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
October CMS

Software vendor:
OctoberCMS

Description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper neutralization of special elements in the INI settings parser when processing page settings fields containing environment variable interpolation syntax. A remote privileged user can inject crafted ${} patterns into CMS page settings fields to disclose sensitive information.

Only instances with cms.safe_mode enabled are affected.

Remediation

Install security update from vendor's website.

External links

https://github.com/octobercms/october/security/advisories/GHSA-g6v3-wv4j-x9hg

#VU125889 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in October CMS - CVE-2026-25125

Description

Remediation

External links

Please verify you're human