GHSA-x4q7-m6fp-4v9v · Severity: high · Ecosystem: composer — October CMS Safe Mode bypass leads to authenticated Remote Code Execution
October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the "Editor" section, they can bypass the Safe Mode (`cms.safe_mode`) restriction to introduce new PHP code in a CMS template using a specially crafted request. The issue has been patched in versions 2.2.34 and 3.0.66.
Conclusion & alert: CVE-2022-35944 is rated Moderate Risk (44/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 0.86%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.50% | 0.86% | +0.36% |
| 2 | 2025-10-19 | 0.22% | 0.50% | +0.29% |
| 3 | 2025-10-15 | — | 0.22% | — |
Full EPSS history (7 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.2 | 3.1 | MEDIUM |
|
0.7 | 5.5 | [email protected] |
| 7.2 | 3.1 | HIGH |
|
1.2 | 5.9 | [email protected] |
GHSA-x4q7-m6fp-4v9v · Severity: high · Ecosystem: composer — October CMS Safe Mode bypass leads to authenticated Remote Code Execution
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| octobercms | october | < 2.2.34 | cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:* |
| octobercms | october | >= 3.0.00, < 3.0.66 | cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9v | Third Party Advisory |