PT-2026-34002 · Unknown · October Cms

Published

2026-04-21

Updated

2026-04-21

CVE-2026-26067

CVSS v3.1

4.9

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions October versions prior to 3.7.14 October versions prior to 4.1.10

Description An information disclosure issue exists in the handling of CSS preprocessor files. Backend users with Editor permissions can create .less, .sass, or .scss files that use the compiler import functionality to read arbitrary files from the server. This occurs regardless of whether cms.safe mode is enabled.

Recommendations Update to version 3.7.14. Update to version 4.1.10.

Fix

Incomplete List of Disallowed Inputs

Information Disclosure

Path traversal

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-184CWE-200CWE-22CWE-863

Related Identifiers

CVE-2026-26067

GHSA-3888-Q23F-X7QH

Affected Products

October Cms

PT-2026-34002 · Unknown · October Cms

CVE-2026-26067

Weakness Enumeration

Related Identifiers

Affected Products

References · 5