Database Manipulation Vulnerability in October CMS by October
CVE-2026-26274

6.6MEDIUM

Key Information:

Vendor: Octobercms
Status: October
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-26274?

A significant security flaw in October CMS allows backend users with Developer permissions to perform unauthorized database operations. This is due to an issue in the Twig sandbox security policy, which improperly permits database write operations when 'cms.safe_mode' is enabled. Exploiting this vulnerability, attackers can leverage Twig template markup to execute insert, update, and delete actions on any database table through the query builder, providing an easy avenue for data manipulation. This issue has been addressed in versions 3.7.14 and 4.1.10.

Affected Version(s)

october >= 4.0.0, < 4.1.10 < 4.0.0, 4.1.10

october < 3.7.14 < 3.7.14

References

https://github.com/octobercms/october/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.6

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Feb 12, 2026

CVE-2026-26274 Data

JSON

Octobercms

What is CVE-2026-26274?

Affected Version(s)

References

CVSS V3.1

Timeline