CVE-2026-25125

Name of the Vulnerable Software and Affected Versions October versions prior to 3.7.14 October versions prior to 4.1.10

Description An information disclosure issue exists in the INI settings parser. The parse ini string() function in PHP supports ${} syntax for environment variable interpolation. Users with Editor access can inject patterns such as ${APP KEY} or ${DB PASSWORD} into CMS page settings fields. This causes sensitive environment variables to be resolved, stored in the template, and returned to the attacker upon reopening the page, potentially leading to the exfiltration of database passwords, AWS keys, and application keys. This may further enable database access or cookie forgery. This issue is specifically relevant when the cms.safe mode variable is enabled.

Recommendations Update to version 3.7.14. Update to version 4.1.10. Restrict Editor tool access to fully trusted administrators only. Ensure database and cloud service credentials are not accessible from the web server network.