Main Vulnerability Database Vulnerabilities #VU125889

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in October CMS - CVE-2026-25125

Published: April 14, 2026

Vulnerability identifier: #VU125889

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-25125

CWE-ID: CWE-74

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OctoberCMS

Affected software:
October CMS

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper neutralization of special elements in the INI settings parser when processing page settings fields containing environment variable interpolation syntax. A remote privileged user can inject crafted ${} patterns into CMS page settings fields to disclose sensitive information.

Only instances with cms.safe_mode enabled are affected.

How to mitigate CVE-2026-25125

Install security update from vendor's website.

Sources

https://github.com/octobercms/october/security/advisories/GHSA-g6v3-wv4j-x9hg

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in October CMS - CVE-2026-25125

Detailed vulnerability description

How to mitigate CVE-2026-25125

Sources

Please verify you're human