平台
php
组件
octobercms
修复版本
3.7.15
4.0.1
4.1.10
A server-side information disclosure vulnerability has been identified in October CMS, affecting versions 3.0.0–>= 4.0.0 and less than 4.1.10. This vulnerability allows attackers with Editor access to inject environment variables into CMS page settings, potentially exposing sensitive data like API keys and database credentials. The issue stems from the CMS's use of PHP's parseinistring() function, which supports environment variable interpolation. A fix is available in version 3.7.14.
The primary impact of CVE-2026-25125 is the potential exfiltration of sensitive environment variables. Attackers can inject ${APPKEY}, ${DBPASSWORD}, or similar patterns into CMS page settings fields. When these pages are reopened, the CMS resolves these variables, effectively revealing their values to the attacker. This could lead to unauthorized access to databases, compromise of API keys, and potentially full system compromise if sensitive AWS keys or other credentials are exposed. The attack requires Editor access within the October CMS installation, but the potential impact is significant.
This vulnerability was publicly disclosed on 2026-04-14. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (POC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of the exploit and the potential for significant data exposure, it is reasonable to expect that a POC may be developed and published in the future.
Organizations using October CMS with Editor roles are at risk. This includes websites and applications built on October CMS where users have the ability to edit page content. Shared hosting environments where multiple users share Editor access are particularly vulnerable, as a compromised account could expose sensitive data for all sites on the server.
• php: Examine CMS page settings for injected ${} patterns. Use grep to search for these patterns in the database or file system where page settings are stored.
• linux / server: Monitor CMS logs (typically in /var/log/apache2/error.log or similar) for errors related to variable interpolation or unexpected environment variable access.
• generic web: Check CMS pages for unexpected environment variable values being displayed. Use curl to inspect the page source and response headers for signs of data leakage.
disclosure
漏洞利用状态
EPSS
0.01% (2% 百分位)
CISA SSVC
CVSS 向量
The recommended mitigation for CVE-2026-25125 is to immediately upgrade October CMS to version 3.7.14 or later. If upgrading is not immediately feasible, consider restricting Editor access to only trusted users. As a temporary workaround, you could disable environment variable interpolation within the INI settings parser, although this may impact other CMS functionality. Monitor CMS logs for suspicious activity, specifically looking for attempts to inject ${} patterns into page settings. After upgrading, confirm the fix by attempting to inject environment variables into a CMS page and verifying that they are not resolved.
Actualice October CMS a la versión 3.7.14 o superior, o a la versión 4.1.10 o superior. Si no puede actualizar inmediatamente, restrinja el acceso a la herramienta Editor solo a administradores totalmente confiables y asegúrese de que las credenciales de la base de datos y los servicios en la nube no sean accesibles desde la red del servidor web.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-25125 is an information disclosure vulnerability in October CMS that allows attackers with Editor access to expose sensitive environment variables by injecting them into CMS page settings.
You are affected if you are running October CMS versions 3.0.0–>= 4.0.0, < 4.1.10. Check your version and upgrade immediately if vulnerable.
Upgrade to October CMS version 3.7.14 or later to resolve this vulnerability. Restrict Editor access as a temporary mitigation.
There is currently no evidence of active exploitation in the wild, but the vulnerability's potential impact warrants immediate attention.
Refer to the official October CMS security advisory for detailed information and updates: [https://octobercms.com/support/security-advisories](https://octobercms.com/support/security-advisories)