Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/665686?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/665686?format=api", "purl": "pkg:composer/statamic/cms@3.4.12", "type": "composer", "namespace": "statamic", "name": "cms", "version": "3.4.12", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.73.21", "latest_non_vulnerable_version": "6.18.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66092?format=api", "vulnerability_id": "VCID-1fy7-n7hd-87b9", "summary": "Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25633", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02454", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02452", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03135", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03148", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25633" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/pull/13883", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/pull/13883" }, { "reference_url": "https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a", "reference_id": "5a6f47246edf3a0c453727ffecbfa14333a6bc8a", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/" } ], "url": "https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25633", "reference_id": "CVE-2026-25633", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25633" }, { "reference_url": "https://github.com/advisories/GHSA-gwmx-9gcj-332h", "reference_id": "GHSA-gwmx-9gcj-332h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gwmx-9gcj-332h" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h", "reference_id": "GHSA-gwmx-9gcj-332h", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.73.6", "reference_id": "v5.73.6", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.73.6" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v6.2.5", "reference_id": "v6.2.5", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v6.2.5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39085?format=api", "purl": "pkg:composer/statamic/cms@5.73.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-gxn8-7hm9-g3b3" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-nqhe-2h4b-wkc1" }, { "vulnerability": "VCID-nsp1-qqp9-g3g9" }, { "vulnerability": "VCID-pxjn-93a2-53fs" }, { "vulnerability": "VCID-s17m-ejen-bya7" }, { "vulnerability": "VCID-tys6-5sqz-dfhw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/39088?format=api", "purl": "pkg:composer/statamic/cms@6.2.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-3zh8-e7tr-gye9" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-gxn8-7hm9-g3b3" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-nqhe-2h4b-wkc1" }, { "vulnerability": "VCID-nsp1-qqp9-g3g9" }, { "vulnerability": "VCID-pxjn-93a2-53fs" }, { "vulnerability": "VCID-s17m-ejen-bya7" }, { "vulnerability": "VCID-tys6-5sqz-dfhw" }, { "vulnerability": "VCID-w7sz-egcg-e7g5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.2.5" } ], "aliases": [ "CVE-2026-25633", "GHSA-gwmx-9gcj-332h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1fy7-n7hd-87b9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81013?format=api", "vulnerability_id": "VCID-2ueq-n7pd-1yav", "summary": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel requires authentication with minimal permissions in order to exploit. e.g. \"view entries\" permission to delete entries, or \"view users\" permission to delete users, etc. The REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too. Sites that enable the REST or GraphQL API without authentication should treat patching as critical priority. This has been fixed in 5.73.20 and 6.13.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41175", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00105", "scoring_system": "epss", "scoring_elements": "0.283", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00105", "scoring_system": "epss", "scoring_elements": "0.28087", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00105", "scoring_system": "epss", "scoring_elements": "0.28308", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00105", "scoring_system": "epss", "scoring_elements": "0.28284", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41175" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41175", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41175" }, { "reference_url": "https://github.com/advisories/GHSA-4jjr-vmv7-wh4w", "reference_id": "GHSA-4jjr-vmv7-wh4w", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4jjr-vmv7-wh4w" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w", "reference_id": "GHSA-4jjr-vmv7-wh4w", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T13:56:00Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373462?format=api", "purl": "pkg:composer/statamic/cms@5.73.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-g8pq-2yub-kkc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/373463?format=api", "purl": "pkg:composer/statamic/cms@6.13.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-g8pq-2yub-kkc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.13.0" } ], "aliases": [ "CVE-2026-41175", "GHSA-4jjr-vmv7-wh4w" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2ueq-n7pd-1yav" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77641?format=api", "vulnerability_id": "VCID-3afh-kvfu-q3f6", "summary": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33172", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02517", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02524", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02527", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33172" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33172", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33172" }, { "reference_url": "https://github.com/advisories/GHSA-7rcv-55mj-chg7", "reference_id": "GHSA-7rcv-55mj-chg7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7rcv-55mj-chg7" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7", "reference_id": "GHSA-7rcv-55mj-chg7", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:46:09Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374643?format=api", "purl": "pkg:composer/statamic/cms@5.73.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-53nt-msa9-p7b2" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-kajb-u17y-7ufu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/374642?format=api", "purl": "pkg:composer/statamic/cms@6.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-53nt-msa9-p7b2" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-kajb-u17y-7ufu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0" } ], "aliases": [ "CVE-2026-33172", "GHSA-7rcv-55mj-chg7" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3afh-kvfu-q3f6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78305?format=api", "vulnerability_id": "VCID-5vp8-dye1-wbd9", "summary": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration parameter in the fieldtype's endpoint. This has been fixed in 5.73.14 and 6.7.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33171", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06461", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06429", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06442", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.0645", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33171" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33171", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33171" }, { "reference_url": "https://github.com/advisories/GHSA-qm7r-wwq7-6f85", "reference_id": "GHSA-qm7r-wwq7-6f85", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qm7r-wwq7-6f85" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85", "reference_id": "GHSA-qm7r-wwq7-6f85", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T20:52:53Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374643?format=api", "purl": "pkg:composer/statamic/cms@5.73.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-53nt-msa9-p7b2" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-kajb-u17y-7ufu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/374642?format=api", "purl": "pkg:composer/statamic/cms@6.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-53nt-msa9-p7b2" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-kajb-u17y-7ufu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0" } ], "aliases": [ "CVE-2026-33171", "GHSA-qm7r-wwq7-6f85" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5vp8-dye1-wbd9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69609?format=api", "vulnerability_id": "VCID-62mz-fap3-7khn", "summary": "Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.16 and 6.7.2. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28425", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00188", "scoring_system": "epss", "scoring_elements": "0.40734", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00188", "scoring_system": "epss", "scoring_elements": "0.4072", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00188", "scoring_system": "epss", "scoring_elements": "0.4071", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00188", "scoring_system": "epss", "scoring_elements": "0.40543", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28425" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.73.16", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.73.16" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v6.7.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v6.7.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28425", "reference_id": "CVE-2026-28425", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28425" }, { "reference_url": "https://github.com/advisories/GHSA-cpv7-q2wx-m8rw", "reference_id": "GHSA-cpv7-q2wx-m8rw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cpv7-q2wx-m8rw" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw", "reference_id": "GHSA-cpv7-q2wx-m8rw", "reference_type": "", "scores": [ { "value": "8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:36:43Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.73.11", "reference_id": "v5.73.11", "reference_type": "", "scores": [ { "value": "8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:36:43Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.73.11" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v6.4.0", "reference_id": "v6.4.0", "reference_type": "", "scores": [ { "value": "8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:36:43Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v6.4.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40015?format=api", "purl": "pkg:composer/statamic/cms@5.73.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/40016?format=api", "purl": "pkg:composer/statamic/cms@6.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2" } ], "aliases": [ "CVE-2026-28425", "GHSA-cpv7-q2wx-m8rw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-62mz-fap3-7khn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/357445?format=api", "vulnerability_id": "VCID-94xa-dsvn-77ee", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48701", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00953", "scoring_system": "epss", "scoring_elements": "0.76842", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00953", "scoring_system": "epss", "scoring_elements": "0.76912", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00953", "scoring_system": "epss", "scoring_elements": "0.76927", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00953", "scoring_system": "epss", "scoring_elements": "0.7692", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48701" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v3.4.15", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v3.4.15" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v4.36.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v4.36.0" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-8jjh-j3c2-cjcv", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-8jjh-j3c2-cjcv" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48701", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48701" }, { "reference_url": "https://github.com/advisories/GHSA-8jjh-j3c2-cjcv", "reference_id": "GHSA-8jjh-j3c2-cjcv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8jjh-j3c2-cjcv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381115?format=api", "purl": "pkg:composer/statamic/cms@3.4.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1fy7-n7hd-87b9" }, { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-bdpx-mypp-auge" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-gxn8-7hm9-g3b3" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-nqhe-2h4b-wkc1" }, { "vulnerability": "VCID-nsp1-qqp9-g3g9" }, { "vulnerability": "VCID-pxjn-93a2-53fs" }, { "vulnerability": "VCID-s17m-ejen-bya7" }, { "vulnerability": "VCID-tys6-5sqz-dfhw" }, { "vulnerability": "VCID-vb35-2r2f-cqcf" }, { "vulnerability": "VCID-z2qu-kkwp-dfew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/381116?format=api", "purl": "pkg:composer/statamic/cms@4.36.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1fy7-n7hd-87b9" }, { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-bdpx-mypp-auge" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-gxn8-7hm9-g3b3" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-nqhe-2h4b-wkc1" }, { "vulnerability": "VCID-nsp1-qqp9-g3g9" }, { "vulnerability": "VCID-pxjn-93a2-53fs" }, { "vulnerability": "VCID-s17m-ejen-bya7" }, { "vulnerability": "VCID-tys6-5sqz-dfhw" }, { "vulnerability": "VCID-vb35-2r2f-cqcf" }, { "vulnerability": "VCID-z2qu-kkwp-dfew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.36.0" } ], "aliases": [ "CVE-2023-48701", "GHSA-8jjh-j3c2-cjcv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-94xa-dsvn-77ee" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77837?format=api", "vulnerability_id": "VCID-9chh-y51z-uqdy", "summary": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the `user:reset_password_form` tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser. This has been fixed in 5.73.16 and 6.7.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33883", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12907", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12899", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12811", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12918", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33883" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33883", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33883" }, { "reference_url": "https://github.com/advisories/GHSA-3jg4-p23x-p4qx", "reference_id": "GHSA-3jg4-p23x-p4qx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3jg4-p23x-p4qx" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-3jg4-p23x-p4qx", "reference_id": "GHSA-3jg4-p23x-p4qx", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:56:43Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-3jg4-p23x-p4qx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40015?format=api", "purl": "pkg:composer/statamic/cms@5.73.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/40016?format=api", "purl": "pkg:composer/statamic/cms@6.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2" } ], "aliases": [ "CVE-2026-33883", "GHSA-3jg4-p23x-p4qx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9chh-y51z-uqdy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77737?format=api", "vulnerability_id": "VCID-acat-8pec-yycn", "summary": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. This has been fixed in 5.73.16 and 6.7.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33885", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16768", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16632", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16794", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16781", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33885" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33885", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33885" }, { "reference_url": "https://github.com/advisories/GHSA-7f74-7q5w-hj4r", "reference_id": "GHSA-7f74-7q5w-hj4r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7f74-7q5w-hj4r" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r", "reference_id": "GHSA-7f74-7q5w-hj4r", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:59:41Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40015?format=api", "purl": "pkg:composer/statamic/cms@5.73.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/40016?format=api", "purl": "pkg:composer/statamic/cms@6.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2" } ], "aliases": [ "CVE-2026-33885", "GHSA-7f74-7q5w-hj4r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-acat-8pec-yycn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/61639?format=api", "vulnerability_id": "VCID-bdpx-mypp-auge", "summary": "Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the control panel. Additionally, if the XSS is crafted in a specific way, the \"copy password reset link\" feature may be exploited to gain access to a user's password reset token and gain access to their account. The authorized user is required to execute the XSS in order for the vulnerability to occur. In versions 4.46.0 and 3.4.17, the XSS vulnerability has been patched, and the copy password reset link functionality has been disabled.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24570", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0144", "scoring_system": "epss", "scoring_elements": "0.81205", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0144", "scoring_system": "epss", "scoring_elements": "0.81204", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0144", "scoring_system": "epss", "scoring_elements": "0.81214", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0144", "scoring_system": "epss", "scoring_elements": "0.81145", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24570" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "http://seclists.org/fulldisclosure/2024/Feb/17", "reference_id": "17", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/" } ], "url": "http://seclists.org/fulldisclosure/2024/Feb/17" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24570", "reference_id": "CVE-2024-24570", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24570" }, { "reference_url": "https://github.com/advisories/GHSA-vqxq-hvxw-9mv9", "reference_id": "GHSA-vqxq-hvxw-9mv9", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vqxq-hvxw-9mv9" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9", "reference_id": "GHSA-vqxq-hvxw-9mv9", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9" }, { "reference_url": "http://packetstormsecurity.com/files/177133/Statamic-CMS-Cross-Site-Scripting.html", "reference_id": "Statamic-CMS-Cross-Site-Scripting.html", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/" } ], "url": "http://packetstormsecurity.com/files/177133/Statamic-CMS-Cross-Site-Scripting.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28673?format=api", "purl": "pkg:composer/statamic/cms@3.4.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1fy7-n7hd-87b9" }, { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-gxn8-7hm9-g3b3" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-nqhe-2h4b-wkc1" }, { "vulnerability": "VCID-nsp1-qqp9-g3g9" }, { "vulnerability": "VCID-pxjn-93a2-53fs" }, { "vulnerability": "VCID-s17m-ejen-bya7" }, { "vulnerability": "VCID-tys6-5sqz-dfhw" }, { "vulnerability": "VCID-vb35-2r2f-cqcf" }, { "vulnerability": "VCID-z2qu-kkwp-dfew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/28675?format=api", "purl": "pkg:composer/statamic/cms@4.46.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1fy7-n7hd-87b9" }, { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-gxn8-7hm9-g3b3" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-nqhe-2h4b-wkc1" }, { "vulnerability": "VCID-nsp1-qqp9-g3g9" }, { "vulnerability": "VCID-pxjn-93a2-53fs" }, { "vulnerability": "VCID-s17m-ejen-bya7" }, { "vulnerability": "VCID-tys6-5sqz-dfhw" }, { "vulnerability": "VCID-vb35-2r2f-cqcf" }, { "vulnerability": "VCID-z2qu-kkwp-dfew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.46.0" } ], "aliases": [ "CVE-2024-24570", "GHSA-vqxq-hvxw-9mv9" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bdpx-mypp-auge" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77640?format=api", "vulnerability_id": "VCID-c8nx-d391-63bw", "summary": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes. This has been fixed in 5.73.16 and 6.7.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33882", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.2832", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.28336", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.28124", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.28344", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33882" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33882", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33882" }, { "reference_url": "https://github.com/advisories/GHSA-cvh3-23vq-w7h4", "reference_id": "GHSA-cvh3-23vq-w7h4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cvh3-23vq-w7h4" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4", "reference_id": "GHSA-cvh3-23vq-w7h4", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:42Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40015?format=api", "purl": "pkg:composer/statamic/cms@5.73.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/40016?format=api", "purl": "pkg:composer/statamic/cms@6.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2" } ], "aliases": [ "CVE-2026-33882", "GHSA-cvh3-23vq-w7h4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c8nx-d391-63bw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78286?format=api", "vulnerability_id": "VCID-crhs-g4rj-y3du", "summary": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16 and 6.7.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33884", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12379", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12366", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12288", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12387", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33884" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33884", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33884" }, { "reference_url": "https://github.com/advisories/GHSA-8vwx-ccf6-5wg2", "reference_id": "GHSA-8vwx-ccf6-5wg2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8vwx-ccf6-5wg2" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2", "reference_id": "GHSA-8vwx-ccf6-5wg2", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:37:18Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40015?format=api", "purl": "pkg:composer/statamic/cms@5.73.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/40016?format=api", "purl": "pkg:composer/statamic/cms@6.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2" } ], "aliases": [ "CVE-2026-33884", "GHSA-8vwx-ccf6-5wg2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-crhs-g4rj-y3du" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67601?format=api", "vulnerability_id": "VCID-g8pq-2yub-kkc8", "summary": "Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks. This vulnerability is fixed in 5.73.21 and 6.15.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44306", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11544", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11621", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.1284", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12857", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44306" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44306", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44306" }, { "reference_url": "https://github.com/advisories/GHSA-m24v-f7g5-gq67", "reference_id": "GHSA-m24v-f7g5-gq67", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m24v-f7g5-gq67" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-m24v-f7g5-gq67", "reference_id": "GHSA-m24v-f7g5-gq67", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T18:15:50Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-m24v-f7g5-gq67" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375684?format=api", "purl": "pkg:composer/statamic/cms@5.73.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/375685?format=api", "purl": "pkg:composer/statamic/cms@6.15.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.15.0" } ], "aliases": [ "CVE-2026-44306", "GHSA-m24v-f7g5-gq67" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g8pq-2yub-kkc8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69390?format=api", "vulnerability_id": "VCID-gxn8-7hm9-g3b3", "summary": "Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28426", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02141", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02136", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02132", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28426" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28426", "reference_id": "CVE-2026-28426", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28426" }, { "reference_url": "https://github.com/advisories/GHSA-5vrj-wf7v-5wr7", "reference_id": "GHSA-5vrj-wf7v-5wr7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5vrj-wf7v-5wr7" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7", "reference_id": "GHSA-5vrj-wf7v-5wr7", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.73.11", "reference_id": "v5.73.11", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.73.11" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v6.4.0", "reference_id": "v6.4.0", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v6.4.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40013?format=api", "purl": "pkg:composer/statamic/cms@5.73.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-pxjn-93a2-53fs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/39982?format=api", "purl": "pkg:composer/statamic/cms@6.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-3zh8-e7tr-gye9" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-pxjn-93a2-53fs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0" } ], "aliases": [ "CVE-2026-28426", "GHSA-5vrj-wf7v-5wr7" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gxn8-7hm9-g3b3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77811?format=api", "vulnerability_id": "VCID-kajb-u17y-7ufu", "summary": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data. Users could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content. This has been fixed in 5.73.16 and 6.7.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33887", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09984", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09945", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09998", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09993", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33887" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33887", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33887" }, { "reference_url": "https://github.com/advisories/GHSA-4hp7-3wxg-cv9q", "reference_id": "GHSA-4hp7-3wxg-cv9q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4hp7-3wxg-cv9q" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q", "reference_id": "GHSA-4hp7-3wxg-cv9q", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:54:14Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40015?format=api", "purl": "pkg:composer/statamic/cms@5.73.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/40016?format=api", "purl": "pkg:composer/statamic/cms@6.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2" } ], "aliases": [ "CVE-2026-33887", "GHSA-4hp7-3wxg-cv9q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kajb-u17y-7ufu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/146484?format=api", "vulnerability_id": "VCID-n3wy-rvyw-m7dc", "summary": "Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the \"Forms\" feature, and asset upload fields in the control panel. Malicious users could leverage this vulnerability to upload and execute code. This issue has been patched in versions 3.4.14 and 4.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48217", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01048", "scoring_system": "epss", "scoring_elements": "0.78014", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.01048", "scoring_system": "epss", "scoring_elements": "0.78008", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.01048", "scoring_system": "epss", "scoring_elements": "0.77933", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.01048", "scoring_system": "epss", "scoring_elements": "0.78001", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48217" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/commit/da28afde818d605179fbb63b96eabafabad876b6", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/commit/da28afde818d605179fbb63b96eabafabad876b6" }, { "reference_url": "https://github.com/statamic/cms/pull/8991", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/pull/8991" }, { "reference_url": "https://github.com/statamic/cms/pull/8992", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/pull/8992" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v3.4.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v3.4.14" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v4.34.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v4.34.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48217", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48217" }, { "reference_url": "https://github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411", "reference_id": "4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-30T14:01:51Z/" } ], "url": "https://github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411" }, { "reference_url": "https://github.com/advisories/GHSA-2r53-9295-3m86", "reference_id": "GHSA-2r53-9295-3m86", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2r53-9295-3m86" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86", "reference_id": "GHSA-2r53-9295-3m86", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-30T14:01:51Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381166?format=api", "purl": "pkg:composer/statamic/cms@3.4.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1fy7-n7hd-87b9" }, { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-94xa-dsvn-77ee" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-bdpx-mypp-auge" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-gxn8-7hm9-g3b3" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-nqhe-2h4b-wkc1" }, { "vulnerability": "VCID-nsp1-qqp9-g3g9" }, { "vulnerability": "VCID-pxjn-93a2-53fs" }, { "vulnerability": "VCID-s17m-ejen-bya7" }, { "vulnerability": "VCID-tys6-5sqz-dfhw" }, { "vulnerability": "VCID-vb35-2r2f-cqcf" }, { "vulnerability": "VCID-z2qu-kkwp-dfew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/638279?format=api", "purl": "pkg:composer/statamic/cms@4.0.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1fy7-n7hd-87b9" }, { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-etr9-3n87-d3ch" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-gxn8-7hm9-g3b3" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-nqhe-2h4b-wkc1" }, { "vulnerability": "VCID-nsp1-qqp9-g3g9" }, { "vulnerability": "VCID-pxjn-93a2-53fs" }, { "vulnerability": "VCID-s17m-ejen-bya7" }, { "vulnerability": "VCID-tys6-5sqz-dfhw" }, { "vulnerability": "VCID-vb35-2r2f-cqcf" }, { "vulnerability": "VCID-z2qu-kkwp-dfew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/381165?format=api", "purl": "pkg:composer/statamic/cms@4.34.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1fy7-n7hd-87b9" }, { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-94xa-dsvn-77ee" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-bdpx-mypp-auge" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-gxn8-7hm9-g3b3" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-nqhe-2h4b-wkc1" }, { "vulnerability": "VCID-nsp1-qqp9-g3g9" }, { "vulnerability": "VCID-pxjn-93a2-53fs" }, { "vulnerability": "VCID-s17m-ejen-bya7" }, { "vulnerability": "VCID-tys6-5sqz-dfhw" }, { "vulnerability": "VCID-vb35-2r2f-cqcf" }, { "vulnerability": "VCID-z2qu-kkwp-dfew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.34.0" } ], "aliases": [ "CVE-2023-48217", "GHSA-2r53-9295-3m86" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n3wy-rvyw-m7dc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69196?format=api", "vulnerability_id": "VCID-nqhe-2h4b-wkc1", "summary": "Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28423", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07382", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.0739", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07399", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07359", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28423" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28423", "reference_id": "CVE-2026-28423", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28423" }, { "reference_url": "https://github.com/advisories/GHSA-cwpp-325q-2cvp", "reference_id": "GHSA-cwpp-325q-2cvp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cwpp-325q-2cvp" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp", "reference_id": "GHSA-cwpp-325q-2cvp", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.73.11", "reference_id": "v5.73.11", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.73.11" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v6.4.0", "reference_id": "v6.4.0", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v6.4.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40013?format=api", "purl": "pkg:composer/statamic/cms@5.73.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-pxjn-93a2-53fs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/39982?format=api", "purl": "pkg:composer/statamic/cms@6.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-3zh8-e7tr-gye9" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-pxjn-93a2-53fs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0" } ], "aliases": [ "CVE-2026-28423", "GHSA-cwpp-325q-2cvp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nqhe-2h4b-wkc1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80238?format=api", "vulnerability_id": "VCID-nsp1-qqp9-g3g9", "summary": "Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset. This has been fixed in 6.3.3 and 5.73.10.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27593", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04345", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04353", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04358", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04346", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27593" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e", "reference_id": "6fdd03324982848e8754f2edd2265262d361714e", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/" } ], "url": "https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e" }, { "reference_url": "https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be", "reference_id": "78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/" } ], "url": "https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be" }, { "reference_url": "https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0", "reference_id": "b2be592ddfb588bcb88c9be454f3590e14b145b0", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/" } ], "url": "https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27593", "reference_id": "CVE-2026-27593", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27593" }, { "reference_url": "https://github.com/advisories/GHSA-jxq9-79vj-rgvw", "reference_id": "GHSA-jxq9-79vj-rgvw", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jxq9-79vj-rgvw" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw", "reference_id": "GHSA-jxq9-79vj-rgvw", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.73.10", "reference_id": "v5.73.10", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.73.10" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v6.3.3", "reference_id": "v6.3.3", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v6.3.3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39799?format=api", "purl": "pkg:composer/statamic/cms@5.73.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-gxn8-7hm9-g3b3" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-nqhe-2h4b-wkc1" }, { "vulnerability": "VCID-pxjn-93a2-53fs" }, { "vulnerability": "VCID-tys6-5sqz-dfhw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.10" }, { "url": "http://public2.vulnerablecode.io/api/packages/39802?format=api", "purl": "pkg:composer/statamic/cms@6.7.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-53nt-msa9-p7b2" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-kajb-u17y-7ufu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.1" } ], "aliases": [ "CVE-2026-27593", "GHSA-jxq9-79vj-rgvw" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nsp1-qqp9-g3g9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78230?format=api", "vulnerability_id": "VCID-pxjn-93a2-53fs", "summary": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. This has been fixed in 5.73.14 and 6.7.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33177", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02568", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02576", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02578", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33177" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33177", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33177" }, { "reference_url": "https://github.com/advisories/GHSA-wh3h-gvc4-cc2g", "reference_id": "GHSA-wh3h-gvc4-cc2g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wh3h-gvc4-cc2g" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g", "reference_id": "GHSA-wh3h-gvc4-cc2g", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:49:16Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374643?format=api", "purl": "pkg:composer/statamic/cms@5.73.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-53nt-msa9-p7b2" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-kajb-u17y-7ufu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/374642?format=api", "purl": "pkg:composer/statamic/cms@6.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-53nt-msa9-p7b2" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-kajb-u17y-7ufu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0" } ], "aliases": [ "CVE-2026-33177", "GHSA-wh3h-gvc4-cc2g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pxjn-93a2-53fs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/147810?format=api", "vulnerability_id": "VCID-rnrk-n64t-ybhw", "summary": "Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the \"Forms\" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-47129", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05963", "scoring_system": "epss", "scoring_elements": "0.90861", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.05963", "scoring_system": "epss", "scoring_elements": "0.90898", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.05963", "scoring_system": "epss", "scoring_elements": "0.9089", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-47129" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47129", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47129" }, { "reference_url": "https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75", "reference_id": "098ef8024d97286ca501273c18ae75b646262d75", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/" } ], "url": "https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75" }, { "reference_url": "https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77", "reference_id": "f6c688154f6bdbd0b67039f8f11dcd98ba061e77", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/" } ], "url": "https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77" }, { "reference_url": "https://github.com/advisories/GHSA-72hg-5wr5-rmfc", "reference_id": "GHSA-72hg-5wr5-rmfc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-72hg-5wr5-rmfc" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc", "reference_id": "GHSA-72hg-5wr5-rmfc", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381089?format=api", "purl": "pkg:composer/statamic/cms@3.4.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1fy7-n7hd-87b9" }, { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-94xa-dsvn-77ee" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-bdpx-mypp-auge" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-gxn8-7hm9-g3b3" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-n3wy-rvyw-m7dc" }, { "vulnerability": "VCID-nqhe-2h4b-wkc1" }, { "vulnerability": "VCID-nsp1-qqp9-g3g9" }, { "vulnerability": "VCID-pxjn-93a2-53fs" }, { "vulnerability": "VCID-s17m-ejen-bya7" }, { "vulnerability": "VCID-tys6-5sqz-dfhw" }, { "vulnerability": "VCID-vb35-2r2f-cqcf" }, { "vulnerability": "VCID-z2qu-kkwp-dfew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/381088?format=api", "purl": "pkg:composer/statamic/cms@4.33.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1fy7-n7hd-87b9" }, { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-94xa-dsvn-77ee" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-bdpx-mypp-auge" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-gxn8-7hm9-g3b3" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-n3wy-rvyw-m7dc" }, { "vulnerability": "VCID-nqhe-2h4b-wkc1" }, { "vulnerability": "VCID-nsp1-qqp9-g3g9" }, { "vulnerability": "VCID-pxjn-93a2-53fs" }, { "vulnerability": "VCID-s17m-ejen-bya7" }, { "vulnerability": "VCID-tys6-5sqz-dfhw" }, { "vulnerability": "VCID-vb35-2r2f-cqcf" }, { "vulnerability": "VCID-z2qu-kkwp-dfew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.33.0" } ], "aliases": [ "CVE-2023-47129", "GHSA-72hg-5wr5-rmfc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rnrk-n64t-ybhw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/79707?format=api", "vulnerability_id": "VCID-s17m-ejen-bya7", "summary": "Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This issue has been fixed in 6.3.2 and 5.73.9.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27196", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02638", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02628", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02637", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02632", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27196" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b", "reference_id": "11ae40e62edd3da044d37ebf264757a09cc2347b", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/" } ], "url": "https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b" }, { "reference_url": "https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3", "reference_id": "6c270dacc2be02bfc2eee500766f3309f59d47b3", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/" } ], "url": "https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27196", "reference_id": "CVE-2026-27196", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27196" }, { "reference_url": "https://github.com/advisories/GHSA-8r7r-f4gm-wcpq", "reference_id": "GHSA-8r7r-f4gm-wcpq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8r7r-f4gm-wcpq" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq", "reference_id": "GHSA-8r7r-f4gm-wcpq", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39452?format=api", "purl": "pkg:composer/statamic/cms@5.73.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-gxn8-7hm9-g3b3" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-nqhe-2h4b-wkc1" }, { "vulnerability": "VCID-nsp1-qqp9-g3g9" }, { "vulnerability": "VCID-pxjn-93a2-53fs" }, { "vulnerability": "VCID-tys6-5sqz-dfhw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/39453?format=api", "purl": "pkg:composer/statamic/cms@6.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-3zh8-e7tr-gye9" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-gxn8-7hm9-g3b3" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-nqhe-2h4b-wkc1" }, { "vulnerability": "VCID-nsp1-qqp9-g3g9" }, { "vulnerability": "VCID-pxjn-93a2-53fs" }, { "vulnerability": "VCID-tys6-5sqz-dfhw" }, { "vulnerability": "VCID-w7sz-egcg-e7g5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.3.2" } ], "aliases": [ "CVE-2026-27196", "GHSA-8r7r-f4gm-wcpq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s17m-ejen-bya7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69194?format=api", "vulnerability_id": "VCID-tys6-5sqz-dfhw", "summary": "Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the \"view users\" permission. This has been fixed in 5.73.11 and 6.4.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28424", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13277", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13302", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13294", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13194", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28424" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28424", "reference_id": "CVE-2026-28424", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28424" }, { "reference_url": "https://github.com/advisories/GHSA-w878-f8c6-7r63", "reference_id": "GHSA-w878-f8c6-7r63", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w878-f8c6-7r63" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63", "reference_id": "GHSA-w878-f8c6-7r63", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.73.11", "reference_id": "v5.73.11", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.73.11" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v6.4.0", "reference_id": "v6.4.0", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v6.4.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40013?format=api", "purl": "pkg:composer/statamic/cms@5.73.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-pxjn-93a2-53fs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/39982?format=api", "purl": "pkg:composer/statamic/cms@6.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-3zh8-e7tr-gye9" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-pxjn-93a2-53fs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0" } ], "aliases": [ "CVE-2026-28424", "GHSA-w878-f8c6-7r63" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tys6-5sqz-dfhw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90983?format=api", "vulnerability_id": "VCID-vb35-2r2f-cqcf", "summary": "Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fixed in 5.22.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-64112", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11018", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10988", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11051", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11049", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-64112" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.22.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.22.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64112", "reference_id": "CVE-2025-64112", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64112" }, { "reference_url": "https://github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1", "reference_id": "e513751f433679ce698606e20c554a0c839987c1", "reference_type": "", "scores": [ { "value": "8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-30T17:57:49Z/" } ], "url": "https://github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1" }, { "reference_url": "https://github.com/advisories/GHSA-g59r-24g3-h7cm", "reference_id": "GHSA-g59r-24g3-h7cm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g59r-24g3-h7cm" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-g59r-24g3-h7cm", "reference_id": "GHSA-g59r-24g3-h7cm", "reference_type": "", "scores": [ { "value": "8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-30T17:57:49Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-g59r-24g3-h7cm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34935?format=api", "purl": "pkg:composer/statamic/cms@5.22.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1fy7-n7hd-87b9" }, { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-gxn8-7hm9-g3b3" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-nqhe-2h4b-wkc1" }, { "vulnerability": "VCID-nsp1-qqp9-g3g9" }, { "vulnerability": "VCID-pxjn-93a2-53fs" }, { "vulnerability": "VCID-s17m-ejen-bya7" }, { "vulnerability": "VCID-tys6-5sqz-dfhw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.22.1" } ], "aliases": [ "CVE-2025-64112", "GHSA-g59r-24g3-h7cm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vb35-2r2f-cqcf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43730?format=api", "vulnerability_id": "VCID-z2qu-kkwp-dfew", "summary": "Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. The issue affects front-end forms with `assets` fields and other places where assets can be uploaded, although users would need upload permissions anyway. Files can be uploaded so they would be located on the server in a different location, and potentially override existing files. Traversal outside an asset container is not possible. This path traversal vulnerability has been fixed in 5.17.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52600", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.60225", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.60336", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.60331", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.60343", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52600" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52600", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52600" }, { "reference_url": "https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d", "reference_id": "0c07c10009a2439c8ee56c8faefd1319dc6e388d", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/" } ], "url": "https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d" }, { "reference_url": "https://github.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346da", "reference_id": "400875b20f40e1343699d536a432a6fc284346da", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/" } ], "url": "https://github.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346da" }, { "reference_url": "https://github.com/statamic/cms/commit/4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d", "reference_id": "4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/" } ], "url": "https://github.com/statamic/cms/commit/4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d" }, { "reference_url": "https://github.com/advisories/GHSA-p7f6-8mcm-fwv3", "reference_id": "GHSA-p7f6-8mcm-fwv3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p7f6-8mcm-fwv3" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-p7f6-8mcm-fwv3", "reference_id": "GHSA-p7f6-8mcm-fwv3", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-p7f6-8mcm-fwv3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/372872?format=api", "purl": "pkg:composer/statamic/cms@5.17.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1fy7-n7hd-87b9" }, { "vulnerability": "VCID-2ueq-n7pd-1yav" }, { "vulnerability": "VCID-3afh-kvfu-q3f6" }, { "vulnerability": "VCID-5vp8-dye1-wbd9" }, { "vulnerability": "VCID-62mz-fap3-7khn" }, { "vulnerability": "VCID-9chh-y51z-uqdy" }, { "vulnerability": "VCID-acat-8pec-yycn" }, { "vulnerability": "VCID-c8nx-d391-63bw" }, { "vulnerability": "VCID-crhs-g4rj-y3du" }, { "vulnerability": "VCID-g8pq-2yub-kkc8" }, { "vulnerability": "VCID-gxn8-7hm9-g3b3" }, { "vulnerability": "VCID-kajb-u17y-7ufu" }, { "vulnerability": "VCID-nqhe-2h4b-wkc1" }, { "vulnerability": "VCID-nsp1-qqp9-g3g9" }, { "vulnerability": "VCID-pxjn-93a2-53fs" }, { "vulnerability": "VCID-s17m-ejen-bya7" }, { "vulnerability": "VCID-tys6-5sqz-dfhw" }, { "vulnerability": "VCID-vb35-2r2f-cqcf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.17.0" } ], "aliases": [ "CVE-2024-52600", "GHSA-p7f6-8mcm-fwv3" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z2qu-kkwp-dfew" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.12" }