Platform
php
Component
octobercms
Fixed in
3.7.15
4.0.1
4.1.10
A server-side information disclosure vulnerability has been identified in October CMS, affecting versions 3.0.0–>= 4.0.0 and less than 4.1.10. This vulnerability allows attackers with Editor access to inject environment variables into CMS page settings, potentially exposing sensitive data like API keys and database credentials. The issue stems from the CMS's use of PHP's parseinistring() function, which supports environment variable interpolation. A fix is available in version 3.7.14.
The primary impact of CVE-2026-25125 is the potential exfiltration of sensitive environment variables. Attackers can inject ${APPKEY}, ${DBPASSWORD}, or similar patterns into CMS page settings fields. When these pages are reopened, the CMS resolves these variables, effectively revealing their values to the attacker. This could lead to unauthorized access to databases, compromise of API keys, and potentially full system compromise if sensitive AWS keys or other credentials are exposed. The attack requires Editor access within the October CMS installation, but the potential impact is significant.
This vulnerability was publicly disclosed on 2026-04-14. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (POC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of the exploit and the potential for significant data exposure, it is reasonable to expect that a POC may be developed and published in the future.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-25125 is to immediately upgrade October CMS to version 3.7.14 or later. If upgrading is not immediately feasible, consider restricting Editor access to only trusted users. As a temporary workaround, you could disable environment variable interpolation within the INI settings parser, although this may impact other CMS functionality. Monitor CMS logs for suspicious activity, specifically looking for attempts to inject ${} patterns into page settings. After upgrading, confirm the fix by attempting to inject environment variables into a CMS page and verifying that they are not resolved.
Update October CMS to version 3.7.14 or higher, or to version 4.1.10 or higher. If you cannot update immediately, restrict Editor tool access to fully trusted administrators only and ensure that database and cloud service credentials are not accessible from the web server's network.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25125 is an information disclosure vulnerability in October CMS that allows attackers with Editor access to expose sensitive environment variables by injecting them into CMS page settings.
You are affected if you are running October CMS versions 3.0.0–>= 4.0.0, < 4.1.10. Check your version and upgrade immediately if vulnerable.
Upgrade to October CMS version 3.7.14 or later to resolve this vulnerability. Restrict Editor access as a temporary mitigation.
There is currently no evidence of active exploitation in the wild, but the vulnerability's potential impact warrants immediate attention.
Refer to the official October CMS security advisory for detailed information and updates: [https://octobercms.com/support/security-advisories](https://octobercms.com/support/security-advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.