Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/533312?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/533312?format=api", "purl": "pkg:composer/statamic/cms@3.0.0", "type": "composer", "namespace": "statamic", "name": "cms", "version": "3.0.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.73.20", "latest_non_vulnerable_version": "6.18.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23272?format=api", "vulnerability_id": "VCID-1p98-j94g-ryff", "summary": "Statamic Vulnerable to Server-Side Request Forgery via Glide\n### Impact\n\nWhen Glide image manipulation is used in insecure mode (which is *not* the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server.\n\n\n## Patches\n\nThis has been fixed in 5.73.11 and 6.4.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28423", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07472", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28423" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.73.11", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.73.11" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v6.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v6.4.0" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28423", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28423" }, { "reference_url": "https://github.com/advisories/GHSA-cwpp-325q-2cvp", "reference_id": "GHSA-cwpp-325q-2cvp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cwpp-325q-2cvp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57002?format=api", "purl": "pkg:composer/statamic/cms@5.73.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/55696?format=api", "purl": "pkg:composer/statamic/cms@6.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2dvd-xxru-1yd7" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0" } ], "aliases": [ "CVE-2026-28423", "GHSA-cwpp-325q-2cvp" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1p98-j94g-ryff" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38064?format=api", "vulnerability_id": "VCID-2gcu-pjav-cuab", "summary": "Statamic CMS vulnerable to remote code execution via form uploads\n### Impact\n\nSimilar to [another advisory](https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc), certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the \"Forms\" feature, and asset upload fields in the control panel.\n\n### Patches\nIt has been patched in 3.4.14 and 4.34.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48217", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01048", "scoring_system": "epss", "scoring_elements": "0.7781", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48217" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-30T14:01:51Z/" } ], "url": "https://github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411" }, { "reference_url": "https://github.com/statamic/cms/commit/da28afde818d605179fbb63b96eabafabad876b6", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/commit/da28afde818d605179fbb63b96eabafabad876b6" }, { "reference_url": "https://github.com/statamic/cms/pull/8991", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/pull/8991" }, { "reference_url": "https://github.com/statamic/cms/pull/8992", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/pull/8992" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v3.4.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v3.4.14" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v4.34.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v4.34.0" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-30T14:01:51Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48217", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48217" }, { "reference_url": "https://github.com/advisories/GHSA-2r53-9295-3m86", "reference_id": "GHSA-2r53-9295-3m86", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2r53-9295-3m86" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71008?format=api", "purl": "pkg:composer/statamic/cms@3.4.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p98-j94g-ryff" }, { "vulnerability": "VCID-2vqa-yfy2-jbd7" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-brrn-wtn8-kkej" }, { "vulnerability": "VCID-bxbr-5b44-hyaj" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-e66g-ck7z-17c7" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-f6kp-z65d-cfbq" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-pphq-z4cd-h3g7" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-skn8-m8xh-2bb1" }, { "vulnerability": "VCID-w6vp-68s2-73eu" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" }, { "vulnerability": "VCID-zzau-63gf-rbb1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/624170?format=api", "purl": "pkg:composer/statamic/cms@4.0.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p98-j94g-ryff" }, { "vulnerability": "VCID-2vqa-yfy2-jbd7" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-bxbr-5b44-hyaj" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-e66g-ck7z-17c7" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-mxt9-vkqf-cqfr" }, { "vulnerability": "VCID-pphq-z4cd-h3g7" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-skn8-m8xh-2bb1" }, { "vulnerability": "VCID-w6vp-68s2-73eu" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" }, { "vulnerability": "VCID-zzau-63gf-rbb1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/71007?format=api", "purl": "pkg:composer/statamic/cms@4.34.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p98-j94g-ryff" }, { "vulnerability": "VCID-2vqa-yfy2-jbd7" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-brrn-wtn8-kkej" }, { "vulnerability": "VCID-bxbr-5b44-hyaj" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-e66g-ck7z-17c7" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-f6kp-z65d-cfbq" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-pphq-z4cd-h3g7" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-skn8-m8xh-2bb1" }, { "vulnerability": "VCID-w6vp-68s2-73eu" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" }, { "vulnerability": "VCID-zzau-63gf-rbb1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.34.0" } ], "aliases": [ "CVE-2023-48217", "GHSA-2r53-9295-3m86" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2gcu-pjav-cuab" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/27461?format=api", "vulnerability_id": "VCID-2vqa-yfy2-jbd7", "summary": "Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation\n### Impact\n\nStored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.\n\nThis affects:\n\n- Control panel users with permission to create or edit Collections and Taxonomies\n- Versions up to and including 5.22.0\n\nThe vulnerability can be exploited to:\n\n- Change a super admin's password (versions ≤ 5.21.0)\n- Change a super admin's email address to initiate password reset (version 5.22.0)\n- Gain unauthorized access to superadmin accounts\n\nThe attack requires:\n\n- An authenticated user with control panel and content creation permissions\n- A super admin to view the compromised content\n\n### Patches\n\nThis has been fixed in 5.22.1.\n\n### Credits\n\nStatamic thanks [Wojtek Chwala](https://github.com/wojtekchwala) for responsibly reporting the identified issues and working with us as we addressed them.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-64112", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11559", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-64112" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-30T17:57:49Z/" } ], "url": "https://github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.22.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.22.1" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-g59r-24g3-h7cm", "reference_id": "", "reference_type": "", "scores": [ { "value": "8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-30T17:57:49Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-g59r-24g3-h7cm" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64112", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64112" }, { "reference_url": "https://github.com/advisories/GHSA-g59r-24g3-h7cm", "reference_id": "GHSA-g59r-24g3-h7cm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g59r-24g3-h7cm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61233?format=api", "purl": "pkg:composer/statamic/cms@5.22.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p98-j94g-ryff" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-bxbr-5b44-hyaj" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-e66g-ck7z-17c7" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-pphq-z4cd-h3g7" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-skn8-m8xh-2bb1" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" }, { "vulnerability": "VCID-zzau-63gf-rbb1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.22.1" } ], "aliases": [ "CVE-2025-64112", "GHSA-g59r-24g3-h7cm" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2vqa-yfy2-jbd7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21390?format=api", "vulnerability_id": "VCID-4aqv-qs5w-hkdb", "summary": "Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs\n### Impact\nAn authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability.\n\nExploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions.\n\n### Patches\nThis has been fixed in 5.73.16 and 6.7.2.\n\nNote that a follow-up report showed that the original 5.73.11 & 6.4.0 fixes were insufficient.\n\nIf you use addons that depend on Statamic, ensure that after updating you are running a patched Statamic version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28425", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00188", "scoring_system": "epss", "scoring_elements": "0.40461", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28425" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.73.16", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.73.16" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v6.7.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v6.7.2" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:36:43Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28425", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28425" }, { "reference_url": "https://github.com/advisories/GHSA-cpv7-q2wx-m8rw", "reference_id": "GHSA-cpv7-q2wx-m8rw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cpv7-q2wx-m8rw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56087?format=api", "purl": "pkg:composer/statamic/cms@5.73.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j8pv-ae2j-afar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/56088?format=api", "purl": "pkg:composer/statamic/cms@6.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j8pv-ae2j-afar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2" } ], "aliases": [ "CVE-2026-28425", "GHSA-cpv7-q2wx-m8rw" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4aqv-qs5w-hkdb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22284?format=api", "vulnerability_id": "VCID-6xpu-jzvq-tuh7", "summary": "Statamic's Markdown preview endpoint exposes sensitive user data\n### Impact\nThe markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes.\n\n### Patches\nThis has been fixed in 5.73.16 and 6.7.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33882", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.22002", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33882" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:42Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33882", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33882" }, { "reference_url": "https://github.com/advisories/GHSA-cvh3-23vq-w7h4", "reference_id": "GHSA-cvh3-23vq-w7h4", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cvh3-23vq-w7h4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56087?format=api", "purl": "pkg:composer/statamic/cms@5.73.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j8pv-ae2j-afar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/56088?format=api", "purl": "pkg:composer/statamic/cms@6.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j8pv-ae2j-afar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2" } ], "aliases": [ "CVE-2026-33882", "GHSA-cvh3-23vq-w7h4" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6xpu-jzvq-tuh7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37975?format=api", "vulnerability_id": "VCID-brrn-wtn8-kkej", "summary": "Cross-site Scripting via uploaded assets\n### Impact\nHTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the \"Forms\" feature containing an assets field, or within the control panel which requires authentication.\n\n### Patches\nIt has been patched on 3.4.15 and 4.36.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48701", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00953", "scoring_system": "epss", "scoring_elements": "0.76709", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48701" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v3.4.15", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v3.4.15" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v4.36.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v4.36.0" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-8jjh-j3c2-cjcv", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-8jjh-j3c2-cjcv" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48701", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48701" }, { "reference_url": "https://github.com/advisories/GHSA-8jjh-j3c2-cjcv", "reference_id": "GHSA-8jjh-j3c2-cjcv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8jjh-j3c2-cjcv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70917?format=api", "purl": "pkg:composer/statamic/cms@3.4.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p98-j94g-ryff" }, { "vulnerability": "VCID-2vqa-yfy2-jbd7" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-bxbr-5b44-hyaj" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-e66g-ck7z-17c7" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-f6kp-z65d-cfbq" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-pphq-z4cd-h3g7" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-skn8-m8xh-2bb1" }, { "vulnerability": "VCID-w6vp-68s2-73eu" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" }, { "vulnerability": "VCID-zzau-63gf-rbb1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/70919?format=api", "purl": "pkg:composer/statamic/cms@4.36.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p98-j94g-ryff" }, { "vulnerability": "VCID-2vqa-yfy2-jbd7" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-bxbr-5b44-hyaj" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-e66g-ck7z-17c7" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-f6kp-z65d-cfbq" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-pphq-z4cd-h3g7" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-skn8-m8xh-2bb1" }, { "vulnerability": "VCID-w6vp-68s2-73eu" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" }, { "vulnerability": "VCID-zzau-63gf-rbb1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.36.0" } ], "aliases": [ "CVE-2023-48701", "GHSA-8jjh-j3c2-cjcv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-brrn-wtn8-kkej" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22491?format=api", "vulnerability_id": "VCID-bxbr-5b44-hyaj", "summary": "Statamic vulnerable to privilege escalation via stored cross-site scripting\n### Impact\nStored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.\n\n### Patches\nThis has been fixed in 5.73.11 and 6.4.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28426", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02176", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28426" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.73.11", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.73.11" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v6.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v6.4.0" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28426", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28426" }, { "reference_url": "https://github.com/advisories/GHSA-5vrj-wf7v-5wr7", "reference_id": "GHSA-5vrj-wf7v-5wr7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5vrj-wf7v-5wr7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57002?format=api", "purl": "pkg:composer/statamic/cms@5.73.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/55696?format=api", "purl": "pkg:composer/statamic/cms@6.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2dvd-xxru-1yd7" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0" } ], "aliases": [ "CVE-2026-28426", "GHSA-5vrj-wf7v-5wr7" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bxbr-5b44-hyaj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23499?format=api", "vulnerability_id": "VCID-c5c4-j1g5-8khe", "summary": "Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag\n### Impact\n\nThe `user:reset_password_form` tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser.\n\n### Patches\n\nThis has been fixed in 5.73.16 and 6.7.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33883", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10953", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33883" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-3jg4-p23x-p4qx", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:56:43Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-3jg4-p23x-p4qx" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33883", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33883" }, { "reference_url": "https://github.com/advisories/GHSA-3jg4-p23x-p4qx", "reference_id": "GHSA-3jg4-p23x-p4qx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3jg4-p23x-p4qx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56087?format=api", "purl": "pkg:composer/statamic/cms@5.73.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j8pv-ae2j-afar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/56088?format=api", "purl": "pkg:composer/statamic/cms@6.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j8pv-ae2j-afar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2" } ], "aliases": [ "CVE-2026-33883", "GHSA-3jg4-p23x-p4qx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c5c4-j1g5-8khe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51647?format=api", "vulnerability_id": "VCID-dyc7-3jjx-gfbj", "summary": "Discoverability of user password hash in Statamic CMS\n## Description\n\nIt was possible to confirm a single character of a user's password hash (just the hash, not the password) using a specially crafted regular expression filter in the users endpoint of the REST API. Many requests could eventually uncover the entire hash.\n\nThe hash would not be in the response, however the presence or absence of a result would confirm if the character was in the right position. It would take a long time since the API has throttling enabled by default.\n\nAdditionally, the REST API would need to be enabled, as well as the users endpoint. Both of which are disabled by default.\n\n## Resolution\n\nFiltering by password or password hash has been disabled.\n\n## Credits\n\nWe would like to thank Thibaud Kehler for reporting the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24784", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00268", "scoring_system": "epss", "scoring_elements": "0.50378", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24784" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/issues/5604", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:26Z/" } ], "url": "https://github.com/statamic/cms/issues/5604" }, { "reference_url": "https://github.com/statamic/cms/pull/5568", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:26Z/" } ], "url": "https://github.com/statamic/cms/pull/5568" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:26Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24784", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24784" }, { "reference_url": "https://github.com/advisories/GHSA-qcgx-7p5f-hxvr", "reference_id": "GHSA-qcgx-7p5f-hxvr", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qcgx-7p5f-hxvr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87962?format=api", "purl": "pkg:composer/statamic/cms@3.2.39", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p98-j94g-ryff" }, { "vulnerability": "VCID-2gcu-pjav-cuab" }, { "vulnerability": "VCID-2vqa-yfy2-jbd7" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-brrn-wtn8-kkej" }, { "vulnerability": "VCID-bxbr-5b44-hyaj" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-e66g-ck7z-17c7" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-f6kp-z65d-cfbq" }, { "vulnerability": "VCID-h7r4-n7s5-z7ex" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-mxt9-vkqf-cqfr" }, { "vulnerability": "VCID-pphq-z4cd-h3g7" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-skn8-m8xh-2bb1" }, { "vulnerability": "VCID-w6vp-68s2-73eu" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" }, { "vulnerability": "VCID-zzau-63gf-rbb1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.2.39" }, { "url": "http://public2.vulnerablecode.io/api/packages/87963?format=api", "purl": "pkg:composer/statamic/cms@3.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p98-j94g-ryff" }, { "vulnerability": "VCID-2gcu-pjav-cuab" }, { "vulnerability": "VCID-2vqa-yfy2-jbd7" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-brrn-wtn8-kkej" }, { "vulnerability": "VCID-bxbr-5b44-hyaj" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-e66g-ck7z-17c7" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-f6kp-z65d-cfbq" }, { "vulnerability": "VCID-h7r4-n7s5-z7ex" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-mxt9-vkqf-cqfr" }, { "vulnerability": "VCID-pphq-z4cd-h3g7" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-skn8-m8xh-2bb1" }, { "vulnerability": "VCID-w6vp-68s2-73eu" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" }, { "vulnerability": "VCID-zzau-63gf-rbb1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.3.2" } ], "aliases": [ "CVE-2022-24784", "GHSA-qcgx-7p5f-hxvr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dyc7-3jjx-gfbj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20691?format=api", "vulnerability_id": "VCID-e66g-ck7z-17c7", "summary": "Statamic is vulnerable to account takeover via password reset link injection\n## Impact\n\nAn attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf.\n\nThe attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset.\n\n## Patches\n\nThis has been fixed in 6.7.1 and 5.73.10.\n\nNote that a follow-up report showed the original 6.3.3 fix to be insufficient. The 5.73.10 fix was sufficient.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27593", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04453", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27593" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/" } ], "url": "https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e" }, { "reference_url": "https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/" } ], "url": "https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be" }, { "reference_url": "https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/" } ], "url": "https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.73.10", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.73.10" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v6.3.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v6.3.3" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27593", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27593" }, { "reference_url": "https://github.com/advisories/GHSA-jxq9-79vj-rgvw", "reference_id": "GHSA-jxq9-79vj-rgvw", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jxq9-79vj-rgvw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56018?format=api", "purl": "pkg:composer/statamic/cms@5.73.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p98-j94g-ryff" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-bxbr-5b44-hyaj" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" }, { "vulnerability": "VCID-zzau-63gf-rbb1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.10" }, { "url": "http://public2.vulnerablecode.io/api/packages/56019?format=api", "purl": "pkg:composer/statamic/cms@6.7.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-xcve-dyea-jqdg" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.1" } ], "aliases": [ "CVE-2026-27593", "GHSA-jxq9-79vj-rgvw" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e66g-ck7z-17c7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20983?format=api", "vulnerability_id": "VCID-ewjp-9fas-vbbx", "summary": "Statamic allows unauthorized content access through missing authorization in its revision controllers\n### Impact\nAuthenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data.\n\nUsers could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content.\n\n### Patches\nThis has been fixed in 5.73.16 and 6.7.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33887", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08505", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33887" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:54:14Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33887", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33887" }, { "reference_url": "https://github.com/advisories/GHSA-4hp7-3wxg-cv9q", "reference_id": "GHSA-4hp7-3wxg-cv9q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4hp7-3wxg-cv9q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56087?format=api", "purl": "pkg:composer/statamic/cms@5.73.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j8pv-ae2j-afar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/56088?format=api", "purl": "pkg:composer/statamic/cms@6.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j8pv-ae2j-afar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2" } ], "aliases": [ "CVE-2026-33887", "GHSA-4hp7-3wxg-cv9q" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ewjp-9fas-vbbx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/10039?format=api", "vulnerability_id": "VCID-f6kp-z65d-cfbq", "summary": "Statmic CMS vulnerable to account takeover via XSS and password reset link\n### Impact\n\nHTML files crafted to look like jpg files are able to be uploaded, allowing for XSS.\n\nThis affects:\n\n- front-end forms with asset fields without any mime type validation\n- asset fields in the control panel\n- asset browser in the control panel\n\nAdditionally, if the XSS is crafted in a specific way, the \"copy password reset link\" feature may be exploited to gain access to a user's password reset token and gain access to their account. The authorized user is required to execute the XSS in order for the vulnerability to occur.\n\n### Patches\n\nIn versions 4.46.0 and 3.4.17, the XSS vulnerability has been patched, and the copy password reset link functionality has been disabled. (Users may still trigger password reset emails.)\n\n### Credits\n\nStatamic thanks Niklas Schilling (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them.", "references": [ { "reference_url": "http://packetstormsecurity.com/files/177133/Statamic-CMS-Cross-Site-Scripting.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/" } ], "url": "http://packetstormsecurity.com/files/177133/Statamic-CMS-Cross-Site-Scripting.html" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24570", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0144", "scoring_system": "epss", "scoring_elements": "0.81029", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24570" }, { "reference_url": "http://seclists.org/fulldisclosure/2024/Feb/17", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/" } ], "url": "http://seclists.org/fulldisclosure/2024/Feb/17" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24570", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24570" }, { "reference_url": "https://github.com/advisories/GHSA-vqxq-hvxw-9mv9", "reference_id": "GHSA-vqxq-hvxw-9mv9", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vqxq-hvxw-9mv9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/25423?format=api", "purl": "pkg:composer/statamic/cms@3.4.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p98-j94g-ryff" }, { "vulnerability": "VCID-2vqa-yfy2-jbd7" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-bxbr-5b44-hyaj" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-e66g-ck7z-17c7" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-pphq-z4cd-h3g7" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-skn8-m8xh-2bb1" }, { "vulnerability": "VCID-w6vp-68s2-73eu" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" }, { "vulnerability": "VCID-zzau-63gf-rbb1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/25414?format=api", "purl": "pkg:composer/statamic/cms@4.46.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p98-j94g-ryff" }, { "vulnerability": "VCID-2vqa-yfy2-jbd7" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-bxbr-5b44-hyaj" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-e66g-ck7z-17c7" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-pphq-z4cd-h3g7" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-skn8-m8xh-2bb1" }, { "vulnerability": "VCID-w6vp-68s2-73eu" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" }, { "vulnerability": "VCID-zzau-63gf-rbb1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.46.0" } ], "aliases": [ "CVE-2024-24570", "GHSA-vqxq-hvxw-9mv9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f6kp-z65d-cfbq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37948?format=api", "vulnerability_id": "VCID-h7r4-n7s5-z7ex", "summary": "Statamic CMS remote code execution via front-end form uploads\n### Impact\nOn front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded regardless of mime validation rules. This only affects forms using the \"Forms\" feature and not just _any_ arbitrary form. This does not affect the control panel.\n\n### Patches\nIt has been patched in 3.4.13 and 4.33.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-47129", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05405", "scoring_system": "epss", "scoring_elements": "0.90272", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-47129" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/" } ], "url": "https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75" }, { "reference_url": "https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/" } ], "url": "https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47129", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47129" }, { "reference_url": "https://github.com/advisories/GHSA-72hg-5wr5-rmfc", "reference_id": "GHSA-72hg-5wr5-rmfc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-72hg-5wr5-rmfc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70872?format=api", "purl": "pkg:composer/statamic/cms@3.4.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p98-j94g-ryff" }, { "vulnerability": "VCID-2gcu-pjav-cuab" }, { "vulnerability": "VCID-2vqa-yfy2-jbd7" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-brrn-wtn8-kkej" }, { "vulnerability": "VCID-bxbr-5b44-hyaj" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-e66g-ck7z-17c7" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-f6kp-z65d-cfbq" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-pphq-z4cd-h3g7" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-skn8-m8xh-2bb1" }, { "vulnerability": "VCID-w6vp-68s2-73eu" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" }, { "vulnerability": "VCID-zzau-63gf-rbb1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/70871?format=api", "purl": "pkg:composer/statamic/cms@4.33.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p98-j94g-ryff" }, { "vulnerability": "VCID-2gcu-pjav-cuab" }, { "vulnerability": "VCID-2vqa-yfy2-jbd7" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-brrn-wtn8-kkej" }, { "vulnerability": "VCID-bxbr-5b44-hyaj" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-e66g-ck7z-17c7" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-f6kp-z65d-cfbq" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-pphq-z4cd-h3g7" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-skn8-m8xh-2bb1" }, { "vulnerability": "VCID-w6vp-68s2-73eu" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" }, { "vulnerability": "VCID-zzau-63gf-rbb1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.33.0" } ], "aliases": [ "CVE-2023-47129", "GHSA-72hg-5wr5-rmfc" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h7r4-n7s5-z7ex" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22921?format=api", "vulnerability_id": "VCID-h7zj-9edy-7kgv", "summary": "Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential\n### Impact\nThe external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows.\n\n### Patches\nThis has been fixed in 5.73.16 and 6.7.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33885", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15403", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33885" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:59:41Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33885", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33885" }, { "reference_url": "https://github.com/advisories/GHSA-7f74-7q5w-hj4r", "reference_id": "GHSA-7f74-7q5w-hj4r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7f74-7q5w-hj4r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56087?format=api", "purl": "pkg:composer/statamic/cms@5.73.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j8pv-ae2j-afar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/56088?format=api", "purl": "pkg:composer/statamic/cms@6.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j8pv-ae2j-afar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2" } ], "aliases": [ "CVE-2026-33885", "GHSA-7f74-7q5w-hj4r" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h7zj-9edy-7kgv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15442?format=api", "vulnerability_id": "VCID-j8pv-ae2j-afar", "summary": "Statamic: Unsafe method invocation via query value resolution allows data destruction\n### Impact\n\nManipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts.\n\nThe Control Panel requires authentication with minimal permissions in order to exploit. e.g. \"view entries\" permission to delete entries, or \"view users\" permission to delete users, etc.\n\nThe REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too.\n\nSites that enable the REST or GraphQL API without authentication should treat patching as critical priority.\n\n### Patches\n\nThis has been fixed in 5.73.20 and 6.13.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41175", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00105", "scoring_system": "epss", "scoring_elements": "0.28232", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41175" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T13:56:00Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41175", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41175" }, { "reference_url": "https://github.com/advisories/GHSA-4jjr-vmv7-wh4w", "reference_id": "GHSA-4jjr-vmv7-wh4w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4jjr-vmv7-wh4w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/45533?format=api", "purl": "pkg:composer/statamic/cms@5.73.20", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/45534?format=api", "purl": "pkg:composer/statamic/cms@6.13.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.13.0" } ], "aliases": [ "CVE-2026-41175", "GHSA-4jjr-vmv7-wh4w" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j8pv-ae2j-afar" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38264?format=api", "vulnerability_id": "VCID-mxt9-vkqf-cqfr", "summary": "Statamic's Antlers sanitizer cannot effectively sanitize malicious SVG\nAntlers sanitizer cannot effectively sanitize malicious SVG\n\n### Summary\nThe SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform XSS attacks using SVG, even when using the `sanitize` function.\n\n### Details\nRegarding the previous discussion mentioned [here](https://github.com/statamic/cms/security/advisories/GHSA-jvw9-rrc5-39g6#advisory-comment-84322), it has been identified that the default blacklist in the **FilesFieldtypeController** (located at this [link](https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15)) only blocks certain file extensions such as php, php3, php4, php5, and phtml. This allows a malicious user to upload a manipulated SVG file disguised as a social media icon, potentially triggering an XSS vulnerability.\n\n### PoC Screenshot\n\n\n### PoC\n1. Create new Global set, let's say \"Settings\"\n2. Create a \"Grid\" field in Blueprint (named: social), then add somefields Name (text), URL (text) and Icon (Assets) in the section Fields.\n3. When calling the social setting in the `_footer.antlers.html`, remember to [sanitize](https://statamic.dev/modifiers/sanitize)\n```\n{{ settings:social }}\n <a href=\"{{ $url }}\" class=\"ml-4\" aria-label=\"{{ $name }}\" rel=\"noopener\">\n {{ svg :src=\"icon\" class=\"h-6 w-6 hover:text-hot-pink\" | sanitize }}\n </a>\n{{ /settings:social }}\n```\n4. Upload the malicious SVG image, here is the code:\n```\n<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\n\n<svg width=\"500\" height=\"500\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\">\n <text x=\"20\" y=\"35\">Statamic</text>\n <foreignObject width=\"500\" height=\"500\">\n <iframe xmlns=\"http://www.w3.org/1999/xhtml\" src=\"javascript:confirm(document.cookie);\" width=\"400\" height=\"250\"/>\n </foreignObject>\n</svg>\n```\n\n\n\n### Impact\nSince the social media icon is displayed in the footer layout, any user can view it, potentially leading to the execution of XSS.\n\n### Suggestions to Mitigate or Resolve the Issue:\nSanitize when outputing the svg. This vulnerability caused by unsanitized `File::get()` when retrieving the SVG, it is crucial to sanitize the SVG when outputting it. The issue can be found in the following file: https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php#L36-L40.\n\nIt is highly recommended to implement proper sanitization measures to ensure the security of the SVG content. One effective approach is to utilize a reliable package, such as https://github.com/darylldoyle/svg-sanitizer ,which provides comprehensive SVG sanitization capabilities.\n\nSo the code becomes:\n```php\nuse enshrined\\svgSanitize\\Sanitizer;\n\nif (File::exists($file)) {\n \n $sanitizer = new Sanitizer();\n $dirtySVG = File::get($file);\n\n $svg = $sanitizer->sanitize($dirtySVG);\n break;\n}\n```\n\n### Reference\n- https://github.com/gogs/gogs/security/advisories/GHSA-ff28-f46g-r9g8\n- https://huntr.dev/bounties/34a12146-3a5d-4efc-a0f8-7a3ae04b198d/\n- https://blog.nintechnet.com/wordpress-elementor-plugin-fixed-svg-xss-protection-bypass-vulnerability/", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36828", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53468", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36828" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/" } ], "url": "https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15" }, { "reference_url": "https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php#L36-L40", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/" } ], "url": "https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php#L36-L40" }, { "reference_url": "https://github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/" } ], "url": "https://github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d" }, { "reference_url": "https://github.com/statamic/cms/pull/8408", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/" } ], "url": "https://github.com/statamic/cms/pull/8408" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v4.10.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v4.10.0" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36828", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36828" }, { "reference_url": "https://github.com/advisories/GHSA-6r5g-cq4q-327g", "reference_id": "GHSA-6r5g-cq4q-327g", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6r5g-cq4q-327g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71245?format=api", "purl": "pkg:composer/statamic/cms@4.10.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p98-j94g-ryff" }, { "vulnerability": "VCID-2gcu-pjav-cuab" }, { "vulnerability": "VCID-2vqa-yfy2-jbd7" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-brrn-wtn8-kkej" }, { "vulnerability": "VCID-bxbr-5b44-hyaj" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-e66g-ck7z-17c7" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-f6kp-z65d-cfbq" }, { "vulnerability": "VCID-h7r4-n7s5-z7ex" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-pphq-z4cd-h3g7" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-skn8-m8xh-2bb1" }, { "vulnerability": "VCID-w6vp-68s2-73eu" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" }, { "vulnerability": "VCID-zzau-63gf-rbb1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.10.0" } ], "aliases": [ "CVE-2023-36828", "GHSA-6r5g-cq4q-327g" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mxt9-vkqf-cqfr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20574?format=api", "vulnerability_id": "VCID-pphq-z4cd-h3g7", "summary": "Statamic affected by privilege escalation via stored cross-site scripting\n## Impact\n\nStored XSS vulnerability in `html` fieldtypes allow authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.\n\n## Patches\n\nThis has been fixed in 6.3.2 and 5.73.9.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27196", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.0276", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27196" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/" } ], "url": "https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b" }, { "reference_url": "https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/" } ], "url": "https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27196", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27196" }, { "reference_url": "https://github.com/advisories/GHSA-8r7r-f4gm-wcpq", "reference_id": "GHSA-8r7r-f4gm-wcpq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8r7r-f4gm-wcpq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55972?format=api", "purl": "pkg:composer/statamic/cms@5.73.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p98-j94g-ryff" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-bxbr-5b44-hyaj" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-e66g-ck7z-17c7" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" }, { "vulnerability": "VCID-zzau-63gf-rbb1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/55971?format=api", "purl": "pkg:composer/statamic/cms@6.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p98-j94g-ryff" }, { "vulnerability": "VCID-2dvd-xxru-1yd7" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-bxbr-5b44-hyaj" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-e66g-ck7z-17c7" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" }, { "vulnerability": "VCID-z69c-vqqz-t3f7" }, { "vulnerability": "VCID-zzau-63gf-rbb1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.3.2" } ], "aliases": [ "CVE-2026-27196", "GHSA-8r7r-f4gm-wcpq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pphq-z4cd-h3g7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22083?format=api", "vulnerability_id": "VCID-sarn-u9b1-ykh8", "summary": "Statamic has a path traversal in file dictionary fieldtype\n### Impact\n\nAuthenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration parameter in the fieldtype's endpoint.\n\n### Patches\n\nThis has been fixed in 5.73.14 and 6.7.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33171", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06598", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33171" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T20:52:53Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33171", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33171" }, { "reference_url": "https://github.com/advisories/GHSA-qm7r-wwq7-6f85", "reference_id": "GHSA-qm7r-wwq7-6f85", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-qm7r-wwq7-6f85" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56363?format=api", "purl": "pkg:composer/statamic/cms@5.73.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-xcve-dyea-jqdg" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/56362?format=api", "purl": "pkg:composer/statamic/cms@6.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-xcve-dyea-jqdg" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0" } ], "aliases": [ "CVE-2026-33171", "GHSA-qm7r-wwq7-6f85" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sarn-u9b1-ykh8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20137?format=api", "vulnerability_id": "VCID-skn8-m8xh-2bb1", "summary": "Statamic CMS's missing authorization allows access to assets\n### Impact\nUsers without permission to view assets are able are able to download them and view their metadata.\n\nLogged-out users and users without permission to access the control panel are unable to take advantage of this.\n\n### Patches\nThis has been fixed in 5.73.6 and 6.2.5.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25633", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02575", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25633" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/" } ], "url": "https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a" }, { "reference_url": "https://github.com/statamic/cms/pull/13883", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/pull/13883" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.73.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.73.6" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v6.2.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v6.2.5" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25633", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25633" }, { "reference_url": "https://github.com/advisories/GHSA-gwmx-9gcj-332h", "reference_id": "GHSA-gwmx-9gcj-332h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gwmx-9gcj-332h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55664?format=api", "purl": "pkg:composer/statamic/cms@5.73.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p98-j94g-ryff" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-bxbr-5b44-hyaj" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-e66g-ck7z-17c7" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-pphq-z4cd-h3g7" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" }, { "vulnerability": "VCID-zzau-63gf-rbb1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/55665?format=api", "purl": "pkg:composer/statamic/cms@6.2.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p98-j94g-ryff" }, { "vulnerability": "VCID-2dvd-xxru-1yd7" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-bxbr-5b44-hyaj" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-e66g-ck7z-17c7" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-pphq-z4cd-h3g7" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" }, { "vulnerability": "VCID-z69c-vqqz-t3f7" }, { "vulnerability": "VCID-zzau-63gf-rbb1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.2.5" } ], "aliases": [ "CVE-2026-25633", "GHSA-gwmx-9gcj-332h" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-skn8-m8xh-2bb1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/12219?format=api", "vulnerability_id": "VCID-w6vp-68s2-73eu", "summary": "Statamic CMS has a Path Traversal in Asset Upload\nAssets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured.\n\n### Impact\n\n- Affects front-end forms with `assets` fields.\n- Affects other places where assets can be uploaded, although users would need upload permissions anyway.\n- Files can be uploaded so they would be located on the server in a different location, and potentially override existing files.\n- Traversal _outside_ an asset container was not possible.\n\n### Patches\n\nThis has been fixed in 5.17.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52600", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.60072", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52600" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/" } ], "url": "https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d" }, { "reference_url": "https://github.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346da", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/" } ], "url": "https://github.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346da" }, { "reference_url": "https://github.com/statamic/cms/commit/4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/" } ], "url": "https://github.com/statamic/cms/commit/4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-p7f6-8mcm-fwv3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-p7f6-8mcm-fwv3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52600", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52600" }, { "reference_url": "https://github.com/advisories/GHSA-p7f6-8mcm-fwv3", "reference_id": "GHSA-p7f6-8mcm-fwv3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-p7f6-8mcm-fwv3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35837?format=api", "purl": "pkg:composer/statamic/cms@5.17.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p98-j94g-ryff" }, { "vulnerability": "VCID-2vqa-yfy2-jbd7" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-bxbr-5b44-hyaj" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-e66g-ck7z-17c7" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-pphq-z4cd-h3g7" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-skn8-m8xh-2bb1" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" }, { "vulnerability": "VCID-zzau-63gf-rbb1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.17.0" } ], "aliases": [ "CVE-2024-52600", "GHSA-p7f6-8mcm-fwv3" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w6vp-68s2-73eu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23381?format=api", "vulnerability_id": "VCID-y5tf-8d7q-fkfu", "summary": "Statamic's live preview token bypasses content protection for unrelated entries\n### Impact\nAn authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for.\n\n### Patches\nThis has been fixed in 5.73.16 and 6.7.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33884", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.1054", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33884" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:37:18Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33884", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33884" }, { "reference_url": "https://github.com/advisories/GHSA-8vwx-ccf6-5wg2", "reference_id": "GHSA-8vwx-ccf6-5wg2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8vwx-ccf6-5wg2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56087?format=api", "purl": "pkg:composer/statamic/cms@5.73.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j8pv-ae2j-afar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/56088?format=api", "purl": "pkg:composer/statamic/cms@6.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j8pv-ae2j-afar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2" } ], "aliases": [ "CVE-2026-33884", "GHSA-8vwx-ccf6-5wg2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y5tf-8d7q-fkfu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22138?format=api", "vulnerability_id": "VCID-yw82-tupk-23bv", "summary": "Statamic is missing authorization check on taxonomy term creation via fieldtype\n### Impact\n\nLow-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint.\n\n### Patches\n\nThis has been fixed in 5.73.14 and 6.7.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33177", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02692", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33177" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:49:16Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33177", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33177" }, { "reference_url": "https://github.com/advisories/GHSA-wh3h-gvc4-cc2g", "reference_id": "GHSA-wh3h-gvc4-cc2g", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wh3h-gvc4-cc2g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56363?format=api", "purl": "pkg:composer/statamic/cms@5.73.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-xcve-dyea-jqdg" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/56362?format=api", "purl": "pkg:composer/statamic/cms@6.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-xcve-dyea-jqdg" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0" } ], "aliases": [ "CVE-2026-33177", "GHSA-wh3h-gvc4-cc2g" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yw82-tupk-23bv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21251?format=api", "vulnerability_id": "VCID-z349-rwka-m3g1", "summary": "Statamic has Stored XSS via SVG Sanitization Bypass\n### Impact\n\nStored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed.\n\n### Patches\n\nThis has been fixed in 5.73.14 and 6.7.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33172", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02647", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33172" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:46:09Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33172", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33172" }, { "reference_url": "https://github.com/advisories/GHSA-7rcv-55mj-chg7", "reference_id": "GHSA-7rcv-55mj-chg7", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7rcv-55mj-chg7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56363?format=api", "purl": "pkg:composer/statamic/cms@5.73.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-xcve-dyea-jqdg" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/56362?format=api", "purl": "pkg:composer/statamic/cms@6.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-xcve-dyea-jqdg" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0" } ], "aliases": [ "CVE-2026-33172", "GHSA-7rcv-55mj-chg7" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z349-rwka-m3g1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21571?format=api", "vulnerability_id": "VCID-zzau-63gf-rbb1", "summary": "Statamic's missing authorization allows access to email addresses\n### Impact\nUser email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the “view users” permission.\n\n### Patches\nThis has been fixed in 5.73.11 and 6.4.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28424", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.132", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28424" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.73.11", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.73.11" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v6.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v6.4.0" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28424", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28424" }, { "reference_url": "https://github.com/advisories/GHSA-w878-f8c6-7r63", "reference_id": "GHSA-w878-f8c6-7r63", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w878-f8c6-7r63" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57002?format=api", "purl": "pkg:composer/statamic/cms@5.73.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/55696?format=api", "purl": "pkg:composer/statamic/cms@6.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2dvd-xxru-1yd7" }, { "vulnerability": "VCID-4aqv-qs5w-hkdb" }, { "vulnerability": "VCID-6xpu-jzvq-tuh7" }, { "vulnerability": "VCID-c5c4-j1g5-8khe" }, { "vulnerability": "VCID-ewjp-9fas-vbbx" }, { "vulnerability": "VCID-h7zj-9edy-7kgv" }, { "vulnerability": "VCID-j8pv-ae2j-afar" }, { "vulnerability": "VCID-sarn-u9b1-ykh8" }, { "vulnerability": "VCID-y5tf-8d7q-fkfu" }, { "vulnerability": "VCID-yw82-tupk-23bv" }, { "vulnerability": "VCID-z349-rwka-m3g1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0" } ], "aliases": [ "CVE-2026-28424", "GHSA-w878-f8c6-7r63" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zzau-63gf-rbb1" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.0.0" }
\n\n###](http://Screenshot%5Cn%5Cn%5Cn###){kind=link}