Sandbox Bypass Vulnerability in October CMS by October
CVE-2026-22692

4.9MEDIUM

Key Information:

Vendor: Octobercms
Status: October
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-22692?

October CMS versions before 3.7.13 and between 4.0.0 to 4.1.4 exhibit a sandbox bypass vulnerability linked to the optional Twig safe mode feature (CMS_SAFE_MODE). This flaw allows authenticated users with template editing permissions to manipulate certain methods on the collect() helper, thus circumventing intended sandbox protections. This vulnerability only impacts installations with CMS_SAFE_MODE enabled, which is disabled by default. To mitigate this risk, it is advised to either disable CMS_SAFE_MODE if untrusted template editing is unnecessary or to limit template editing permissions to trusted administrators. The issue has been resolved in subsequent releases, 3.7.13 and 4.1.5.

Affected Version(s)

october < 3.7.13 < 3.7.13

october >= 4.0.0, < 4.1.5 < 4.0.0, 4.1.5

References

https://github.com/octobercms/october/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Jan 8, 2026

CVE-2026-22692 Data

JSON

Octobercms

What is CVE-2026-22692?

Affected Version(s)

References

CVSS V3.1

Timeline