CVE-2026-26067
October CMS has Safe Mode Bypass via CSS Preprocessor Compilers
Description
A server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft `.less`, `.sass`, or `.scss` files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with `cms.safe_mode` enabled. ### Impact - Potential exposure of sensitive server-side files - Requires authenticated backend access with Editor permissions - Only relevant when `cms.safe_mode` is enabled (otherwise direct PHP injection is already possible) ### Patches The vulnerability has been patched in v3.7.14 and v4.1.10. When `cms.safe_mode` is enabled, `.less`, `.sass`, and `.scss` files can no longer be created, uploaded, or edited across the CMS editor, media manager, and file upload interfaces. All users are encouraged to upgrade to the latest patched version. ### Workarounds If upgrading immediately is not possible: - Set `cms.editable_asset_types` config to `['css', 'js']` to remove preprocessor file types from the editor - Restrict Editor tool access to fully trusted administrators only - Reported by [Chris Alupului](https://github.com/neosprings)
How to fix CVE-2026-26067
To remediate CVE-2026-26067, upgrade the affected package to a fixed version below.
- —upgrade to 3.7.14 or later
Is CVE-2026-26067 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.7.14