[MEDIUM] October CMS has Safe Mode Bypass via CSS Preprocessor Compilers

PKSA-4k1j-qzgm-rvr3 CVE-2026-26067 GHSA-3888-q23f-x7qh

Affected package: october/system

Affected version: >=4.0.0,<4.1.10|<3.7.14

Reported by:
GitHub