CVE-2026-26067

Name: CVE-2026-26067
Creator: NVD / NIST
Published: 2026-04-21T17:16:24.383+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 4.9/10EPSS 0.25%

Last modified Jun 17, 2026

CVE-2026-26067 is a medium-severity vulnerability rated 4.9/10 on the CVSS scale. October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. EPSS estimates a 0.25% chance of exploitation in the next 30 days.

Description

October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10.

Metrics

CVSS 3.1

4.9/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.25%

15.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

References

https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh

Timeline

Published: Apr 21, 2026
Last Modified: Jun 17, 2026
Status: Deferred

Frequently Asked Questions

What is CVE-2026-26067?

How severe is CVE-2026-26067?

CVE-2026-26067 has a CVSS score of 4.9/10 (MEDIUM severity). The EPSS model estimates a 0.25% probability of exploitation in the next 30 days.

How do I fix CVE-2026-26067?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-26067?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST