CVE-2026-26274
MEDIUM6.6EPSS 0.07%October CMS has Safe Mode Bypass via Twig Database Write Operations
Description
A vulnerability was identified in the Twig sandbox security policy that allowed database write operations when `cms.safe_mode` is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list. ### Impact - Arbitrary database writes including modification or deletion of any table - Requires authenticated backend access with Developer permissions - Only relevant when `cms.safe_mode` is enabled (otherwise direct PHP injection is already possible) ### Patches The vulnerability has been patched in v3.7.14 and v4.1.10. Write operations such as `insert`, `update`, `delete`, and `truncate` are now blocked on query builder and model objects within the Twig sandbox. All users are encouraged to upgrade to the latest patched version. ### Workarounds If upgrading immediately is not possible: - Restrict Developer tool access to fully trusted administrators only ### Reporter - Reported by [Chris Alupului](https://github.com/neosprings)
Affected packages (1)
- Packagist/october/octoberfrom 0, < 3.7.14
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.6 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |