October CMS, Twig Sandbox Bypass, CVE-2026-22692 (Moderate)

Listen to this Post

The vulnerability stems from the `October\Rain\Support\SafeCollection` class implementing the `CallsAnyMethod` interface, which instructs the `System\Twig\SecurityPolicy` to bypass the standard method allow‑listing for the collection object itself.
While `SafeCollection` attempts to filter arguments to prevent direct execution of callables, it does not block the `mapInto($class)` method.
`mapInto()` iterates over the collection and instantiates the provided class name: new $class($value, $key);.
An attacker can therefore instantiate any class known to the application.

Three exploitation paths exist:

  1. RCE – The security policy allow‑lists `__toString()` on all objects.
    By instantiating `Psy\Readline\Hoa\Xcallable` (which wraps a callable) and wrapping it inside `GuzzleHttp\Psr7\FnStream` (which calls a user‑defined function in its `__toString` method), an attacker can trigger arbitrary PHP functions that require no arguments (e.g., php_uname, phpinfo) simply by printing the object in Twig.
  2. XXE – `SimpleXMLElement` accepts a libxml option flag as its second constructor argument.
    `mapInto()` passes the collection key as the second argument.
    By creating a collection with a key of `2` (i.e., LIBXML_NOENT), external entity substitution is enabled, leading to XXE and the ability to read system files.
  3. LFI – Instantiating `SplFileObject` with a file path and read mode (passed via mapInto) returns a traversable file object.
    Passing this object to the `collect()` helper triggers immediate iteration (via `iterator_to_array` inside the framework’s core), which bypasses the sandbox’s method blocking policy and allows reading any file the web server has access to.
    The sandbox bypass is triggered only when `CMS_SAFE_MODE` is enabled (disabled by default) and the attacker has authenticated backend access with template editing permissions.

dailycve form

Platform: October CMS
Version: <=4.1.4,<=3.7.12
Vulnerability: Twig Sandbox Bypass
Severity: Moderate
date: Apr 14,2026

Prediction: Apr 15,2026

What Undercode Say:

Verify affected October CMS version
php artisan october:version | grep -E "October CMS v(3.|4.)"
Check if safe mode is enabled
grep CMS_SAFE_MODE .env | grep -i true
Twig payload (RCE) – execute php_uname
{% set clsX = 'Psy.Readline.Hoa.Xcallable'|replace({'.': '\'}) %}
{% set clsF = 'GuzzleHttp.Psr7.FnStream'|replace({'.': '\'}) %}
{% set x = collect({'': 'php_uname'}).mapInto(clsX).first() %}
{% set methods = {'__toString': x} %}
{% set f = collect([bash]).mapInto(clsF).first() %}
System Info: {{ f }}

Exploit:

Authenticated backend user with template editing privileges injects a Twig payload that abuses `collect()->mapInto()` to instantiate arbitrary classes (e.g., SimpleXMLElement, SplFileObject, `Xcallable` + FnStream), escaping the Twig sandbox and achieving RCE, LFI, or XXE.

Protection from this CVE:

  • Upgrade to October CMS v4.1.5 or v3.7.13 immediately.
  • If upgrading is not possible, disable `CMS_SAFE_MODE` in `.env` (CMS_SAFE_MODE=false).
  • Restrict CMS template editing permissions to fully trusted administrators only.

Impact:

  • Remote Code Execution (RCE): Execute arbitrary PHP functions (e.g., php_uname, phpinfo).
  • Local File Inclusion (LFI): Read any file the web server has access to (e.g., /etc/passwd, .env).
  • XXE Injection: Read system files via `SimpleXMLElement` with external entity substitution.
  • Complete bypass of Twig sandbox protections when `CMS_SAFE_MODE` is enabled, allowing privilege escalation to system administrator level.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top