CVE-2026-26067: October CMS has Safe Mode Bypass via CSS Preprocessor Compilers

April 21, 2026 (updated April 24, 2026)

A server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler’s import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled.

References

github.com/advisories/GHSA-3888-q23f-x7qh
github.com/octobercms/october
github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh
nvd.nist.gov/vuln/detail/CVE-2026-26067

Code Behaviors & Features

Detect and mitigate CVE-2026-26067 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →