SCA: security update for october/system (GHSA-jvwg-phxx-j3rp)

low Tenable Self-Hosted Container Security Plugin ID 440697

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained
sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor
editor extensions. This only affects backend users who were explicitly granted editor access but had
editor.cms_assets or editor.tailor_blueprints specifically withheld, an uncommon permission configuration.
In this edge case, such users could perform file operations (create, delete, rename, move, upload) on
theme assets or blueprint files despite lacking the required sub-permission. A related operator precedence
error in the Tailor navigation also disclosed the theme blueprint directory tree under the same
conditions. This vulnerability is fixed in 3.7.16 and 4.1.16. (CVE-2026-29179)

Solution

Update the october/system library and its related packages to version 3.7.16 or later.

See Also

https://github.com/advisories/GHSA-jvwg-phxx-j3rp

Plugin Details

Severity: Low

ID: 440697

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 4/21/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 7.71

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Low

Base Score: 3.2

Temporal Score: 2.4

Vector: CVSS2#AV:N/AC:H/Au:M/C:P/I:P/A:N

CVSS Score Source: CVE-2026-29179

CVSS v3

Risk Factor: Low

Base Score: 3.3

Temporal Score: 2.9

Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/21/2026

Vulnerability Publication Date: 4/21/2026

Reference Information

CVE: CVE-2026-29179

cwe: CWE-863