Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.9
October CMS: Sensitive Information Leaked Through Editor Access
CVE-2026-25125
GHSA-g6v3-wv4j-x9hg
Summary
October CMS versions 3.7.13 and earlier, and 4.1.9 and earlier, contain a security flaw that allows attackers with Editor access to steal sensitive information such as database passwords and AWS keys. This can happen when users with Editor access are allowed to edit certain settings. To stay safe, update to version 3.7.14 or 4.1.10, or limit Editor access to trusted administrators and keep sensitive data off the web server's network.
What to do
- Update october rain to version 4.1.10.
- Update october rain to version 3.7.14.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| composer | october | rain |
>= 4.0.0, <= 4.1.9 <= 3.7.13 Fix: upgrade to 4.1.10
|
Original title
October Rain has Environment Variable Exfiltration via INI Parser Interpolation
Original description
A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's `parse_ini_string()` function supports `${}` syntax for environment variable interpolation. Attackers with Editor access could inject `${APP_KEY}`, `${DB_PASSWORD}`, or similar patterns into CMS page settings fields, causing sensitive environment variables to be resolved and stored in the template. These values were then returned to the attacker when the page was reopened.
### Impact
- Exfiltration of sensitive environment variables (APP_KEY, DB credentials, AWS keys, etc.)
- Could enable further attacks: database access, cookie forgery, AWS resource access
- Requires authenticated backend access with Editor permissions
- Only relevant when `cms.safe_mode` is enabled (otherwise direct PHP injection is already possible)
### Patches
The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.
### Workarounds
If upgrading immediately is not possible:
- Restrict Editor tool access to fully trusted administrators only
- Ensure database and cloud service credentials are not accessible from the web server's network
### References
- Reported by Proactive Testing Team (PTT)
### Impact
- Exfiltration of sensitive environment variables (APP_KEY, DB credentials, AWS keys, etc.)
- Could enable further attacks: database access, cookie forgery, AWS resource access
- Requires authenticated backend access with Editor permissions
- Only relevant when `cms.safe_mode` is enabled (otherwise direct PHP injection is already possible)
### Patches
The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.
### Workarounds
If upgrading immediately is not possible:
- Restrict Editor tool access to fully trusted administrators only
- Ensure database and cloud service credentials are not accessible from the web server's network
### References
- Reported by Proactive Testing Team (PTT)
nvd CVSS3.1
4.9
Vulnerability type
CWE-94
Code Injection
CWE-200
Information Exposure
Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 14 Apr 2026