The vulnerability identified as CVE-2026-22692 affects October CMS's optional Twig safe mode feature (CMS_SAFE_MODE) in versions prior to 3.7.13 and from 4.0.0 up to 4.1.4. It involves a sandbox bypass due to insufficient restriction on certain methods of the collect() helper, allowing authenticated users with template editing permissions to circumvent sandbox protections. Exploitation requires authenticated backend access with template editing rights and only applies when CMS_SAFE_MODE is enabled. The vulnerability has been addressed in versions 3.7.13 and 4.1.5. Workarounds include disabling CMS_SAFE_MODE if untrusted template editing is unnecessary and limiting template editing permissions to fully trusted administrators.

Successful exploitation allows authenticated users with template editing permissions to bypass sandbox protections, potentially leading to unauthorized code execution or data exposure within the CMS environment. The vulnerability does not affect confidentiality, integrity, or availability beyond the scope of the sandbox bypass and requires high privileges (authenticated backend access with template editing rights). It only impacts installations with CMS_SAFE_MODE enabled, which is disabled by default.

A fix is available in October CMS versions 3.7.13 and 4.1.5. Users should upgrade to these or later versions to remediate the vulnerability. If upgrading immediately is not possible, users can mitigate risk by disabling the CMS_SAFE_MODE feature if untrusted template editing is not required and by restricting CMS template editing permissions strictly to fully trusted administrators. Since CMS_SAFE_MODE is disabled by default, ensuring it remains disabled unless necessary reduces exposure.