PT-2026-34003 · October · October

Published

2026-04-21

Updated

2026-04-22

CVE-2026-26274

CVSS v3.1

6.6

Medium

Vector

AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions October versions prior to 3.7.14 October versions prior to 4.1.10

Description A flaw in the Twig sandbox security policy allows database write operations when cms.safe mode is enabled. Backend users with Developer permissions can use Twig template markup to perform insert, update, and delete operations on any database table via the query builder, which is included in the sandbox allow-list.

Recommendations Update to version 3.7.14 Update to version 4.1.10

Fix

Incomplete List of Disallowed Inputs

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-184CWE-863

Related Identifiers

CVE-2026-26274

GHSA-H6JM-F4HH-FW27

Affected Products

October

PT-2026-34003 · October · October

CVE-2026-26274

Weakness Enumeration

Related Identifiers

Affected Products

References · 8