October CMS has Safe Mode Bypass via Twig Database Write Operations
Moderate severity
GitHub Reviewed
Published
Apr 21, 2026
in
octobercms/october
•
Updated Apr 24, 2026
Package
Affected versions
< 3.7.14
>= 4.0.0, < 4.1.10
Patched versions
3.7.14
4.1.10
Description
Published to the GitHub Advisory Database
Apr 21, 2026
Reviewed
Apr 21, 2026
Published by the National Vulnerability Database
Apr 21, 2026
Last updated
Apr 24, 2026
A vulnerability was identified in the Twig sandbox security policy that allowed database write operations when
cms.safe_modeis enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list.Impact
cms.safe_modeis enabled (otherwise direct PHP injection is already possible)Patches
The vulnerability has been patched in v3.7.14 and v4.1.10. Write operations such as
insert,update,delete, andtruncateare now blocked on query builder and model objects within the Twig sandbox. All users are encouraged to upgrade to the latest patched version.Workarounds
If upgrading immediately is not possible:
Reporter
References