ByteOS Network

NVD Vulnerability Details :

CVE-2026-29179

Deferred

Source-security-advisories@github.com

Published At-21 Apr, 2026 | 17:16

Updated At-22 Apr, 2026 | 21:08

October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted editor access but had editor.cms_assets or editor.tailor_blueprints specifically withheld, an uncommon permission configuration. In this edge case, such users could perform file operations (create, delete, rename, move, upload) on theme assets or blueprint files despite lacking the required sub-permission. A related operator precedence error in the Tailor navigation also disclosed the theme blueprint directory tree under the same conditions. This vulnerability is fixed in 3.7.16 and 4.1.16.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	3.3	LOW	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

Type: Secondary

Version: 3.1

Base score: 3.3

Base severity: LOW

Vector:

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

Weaknesses

CWE ID	Type	Source
CWE-863	Primary	security-advisories@github.com

CWE ID: CWE-863

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/octobercms/october/security/advisories/GHSA-jvwg-phxx-j3rp	security-advisories@github.com	N/A

Hyperlink: https://github.com/octobercms/october/security/advisories/GHSA-jvwg-phxx-j3rp

Source: security-advisories@github.com

Resource: N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History