CVE-2026-25125

CVSS v3.1

4.9

Medium

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's parse ini string() function supports ${} syntax for environment variable interpolation. Attackers with Editor access could inject ${APP KEY}, ${DB PASSWORD}, or similar patterns into CMS page settings fields, causing sensitive environment variables to be resolved and stored in the template. These values were then returned to the attacker when the page was reopened.

Impact

Exfiltration of sensitive environment variables (APP KEY, DB credentials, AWS keys, etc.)
Could enable further attacks: database access, cookie forgery, AWS resource access
Requires authenticated backend access with Editor permissions
Only relevant when cms.safe mode is enabled (otherwise direct PHP injection is already possible)

Patches

The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.

Workarounds

If upgrading immediately is not possible:

Restrict Editor tool access to fully trusted administrators only
Ensure database and cloud service credentials are not accessible from the web server's network

References

Reported by Proactive Testing Team (PTT)

Fix

Information Disclosure

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-94

Related Identifiers

CVE-2026-25125

GHSA-G6V3-WV4J-X9HG

Affected Products

October

October/Rain

CVE-2026-25125

Impact

Patches

Workarounds

References

Weakness Enumeration

Related Identifiers

Affected Products

References · 4