{"api_version":"1","generated_at":"2026-04-23T15:11:14+00:00","cve":"CVE-2026-26067","urls":{"html":"https://cve.report/CVE-2026-26067","api":"https://cve.report/api/cve/CVE-2026-26067.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-26067","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-26067"},"summary":{"title":"October: Safe Mode Bypass via CSS Preprocessor Compilers","description":"October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-04-21 17:16:24","updated_at":"2026-04-22 21:08:48"},"problem_types":["CWE-184","CWE-863","CWE-863 CWE-863: Incorrect Authorization","CWE-184 CWE-184: Incomplete List of Disallowed Inputs"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"4.9","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N","baseScore":4.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"4.9","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.9,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh","name":"https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-26067","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26067","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"octobercms","product":"october","version":"affected >= 4.0.0, < 4.1.10","platforms":[]},{"source":"CNA","vendor":"octobercms","product":"october","version":"affected < 3.7.14","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"26067","cve":"CVE-2026-26067","epss":"0.000370000","percentile":"0.112610000","score_date":"2026-04-22","updated_at":"2026-04-23 00:03:14"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-26067","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-04-21T17:35:10.591022Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-21T17:35:19.882Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"october","vendor":"octobercms","versions":[{"status":"affected","version":">= 4.0.0, < 4.1.10"},{"status":"affected","version":"< 3.7.14"}]}],"descriptions":[{"lang":"en","value":"October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.9,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-863","description":"CWE-863: Incorrect Authorization","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-184","description":"CWE-184: Incomplete List of Disallowed Inputs","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-21T16:16:03.293Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh","tags":["x_refsource_CONFIRM"],"url":"https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh"}],"source":{"advisory":"GHSA-3888-q23f-x7qh","discovery":"UNKNOWN"},"title":"October: Safe Mode Bypass via CSS Preprocessor Compilers"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-26067","datePublished":"2026-04-21T16:16:03.293Z","dateReserved":"2026-02-10T18:01:31.900Z","dateUpdated":"2026-04-21T17:35:19.882Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-21 17:16:24","lastModifiedDate":"2026-04-22 21:08:48","problem_types":["CWE-184","CWE-863","CWE-863 CWE-863: Incorrect Authorization","CWE-184 CWE-184: Incomplete List of Disallowed Inputs"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N","baseScore":4.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.2,"impactScore":3.6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"26067","Ordinal":"1","Title":"October: Safe Mode Bypass via CSS Preprocessor Compilers","CVE":"CVE-2026-26067","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"26067","Ordinal":"1","NoteData":"October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10.","Type":"Description","Title":"October: Safe Mode Bypass via CSS Preprocessor Compilers"}]}}}