Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/statamic/cms@5.73.10
purl pkg:composer/statamic/cms@5.73.10
Next non-vulnerable version 5.73.20
Latest non-vulnerable version 6.18.1
Risk
Vulnerabilities affecting this package (13)
Vulnerability Summary Fixed by
VCID-2nav-d5sc-buc2
Aliases:
CVE-2026-33885
GHSA-7f74-7q5w-hj4r
5.73.16
Affected by 1 other vulnerability.
6.7.2
Affected by 1 other vulnerability.
VCID-3ecw-t3fm-3fh4
Aliases:
CVE-2026-41175
GHSA-4jjr-vmv7-wh4w
5.73.20
Affected by 0 other vulnerabilities.
6.13.0
Affected by 0 other vulnerabilities.
VCID-5ukf-bhcd-suhw
Aliases:
CVE-2026-28425
GHSA-cpv7-q2wx-m8rw
Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs An authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions.
5.73.16
Affected by 1 other vulnerability.
6.7.2
Affected by 1 other vulnerability.
VCID-cdfx-dkc6-suha
Aliases:
CVE-2026-28423
GHSA-cwpp-325q-2cvp
Statamic Vulnerable to Server-Side Request Forgery via Glide When Glide image manipulation is used in insecure mode (which is *not* the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server.
5.73.11
Affected by 10 other vulnerabilities.
6.4.0
Affected by 11 other vulnerabilities.
VCID-e9pw-5s2v-yqct
Aliases:
CVE-2026-33882
GHSA-cvh3-23vq-w7h4
5.73.16
Affected by 1 other vulnerability.
6.7.2
Affected by 1 other vulnerability.
VCID-fjkd-mnrz-hkh2
Aliases:
CVE-2026-33177
GHSA-wh3h-gvc4-cc2g
5.73.14
Affected by 7 other vulnerabilities.
6.7.0
Affected by 7 other vulnerabilities.
VCID-hnye-658u-yfcx
Aliases:
CVE-2026-33884
GHSA-8vwx-ccf6-5wg2
5.73.16
Affected by 1 other vulnerability.
6.7.2
Affected by 1 other vulnerability.
VCID-kctx-wwrz-eyab
Aliases:
CVE-2026-28424
GHSA-w878-f8c6-7r63
Statamic's missing authorization allows access to email addresses User email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the “view users” permission.
5.73.11
Affected by 10 other vulnerabilities.
6.4.0
Affected by 11 other vulnerabilities.
VCID-s55s-2gzg-13c2
Aliases:
CVE-2026-33887
GHSA-4hp7-3wxg-cv9q
5.73.16
Affected by 1 other vulnerability.
6.7.2
Affected by 1 other vulnerability.
VCID-sw5p-h53c-wkhb
Aliases:
CVE-2026-28426
GHSA-5vrj-wf7v-5wr7
Statamic vulnerable to privilege escalation via stored cross-site scripting Stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.
5.73.11
Affected by 10 other vulnerabilities.
6.4.0
Affected by 11 other vulnerabilities.
VCID-t5kq-pvrj-t7fy
Aliases:
CVE-2026-33883
GHSA-3jg4-p23x-p4qx
5.73.16
Affected by 1 other vulnerability.
6.7.2
Affected by 1 other vulnerability.
VCID-x5p5-ez6j-2qe8
Aliases:
CVE-2026-33171
GHSA-qm7r-wwq7-6f85
5.73.14
Affected by 7 other vulnerabilities.
6.7.0
Affected by 7 other vulnerabilities.
VCID-xj5k-a1we-7ffx
Aliases:
CVE-2026-33172
GHSA-7rcv-55mj-chg7
5.73.14
Affected by 7 other vulnerabilities.
6.7.0
Affected by 7 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-2h8u-ckde-8fad Statamic is vulnerable to account takeover via password reset link injection An attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset. CVE-2026-27593
GHSA-jxq9-79vj-rgvw

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-01T10:48:56.051285+00:00 GitLab Importer Affected by VCID-3ecw-t3fm-3fh4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/statamic/cms/GHSA-4jjr-vmv7-wh4w.yml 38.6.0
2026-06-01T10:47:30.521567+00:00 GitLab Importer Affected by VCID-3ecw-t3fm-3fh4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/statamic/cms/CVE-2026-41175.yml 38.6.0
2026-06-01T10:17:59.614540+00:00 GitLab Importer Affected by VCID-e9pw-5s2v-yqct https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/statamic/cms/CVE-2026-33882.yml 38.6.0
2026-06-01T10:16:56.896928+00:00 GitLab Importer Affected by VCID-2nav-d5sc-buc2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/statamic/cms/CVE-2026-33885.yml 38.6.0
2026-06-01T10:16:43.363315+00:00 GitLab Importer Affected by VCID-t5kq-pvrj-t7fy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/statamic/cms/CVE-2026-33883.yml 38.6.0
2026-06-01T10:16:35.264894+00:00 GitLab Importer Affected by VCID-hnye-658u-yfcx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/statamic/cms/CVE-2026-33884.yml 38.6.0
2026-06-01T10:16:14.374113+00:00 GitLab Importer Affected by VCID-s55s-2gzg-13c2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/statamic/cms/CVE-2026-33887.yml 38.6.0
2026-06-01T10:10:11.767851+00:00 GitLab Importer Affected by VCID-xj5k-a1we-7ffx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/statamic/cms/CVE-2026-33172.yml 38.6.0
2026-06-01T10:10:04.233045+00:00 GitLab Importer Affected by VCID-fjkd-mnrz-hkh2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/statamic/cms/CVE-2026-33177.yml 38.6.0
2026-06-01T10:09:41.695976+00:00 GitLab Importer Affected by VCID-x5p5-ez6j-2qe8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/statamic/cms/CVE-2026-33171.yml 38.6.0
2026-06-01T09:48:48.121665+00:00 GitLab Importer Affected by VCID-sw5p-h53c-wkhb https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/statamic/cms/CVE-2026-28426.yml 38.6.0
2026-06-01T09:48:38.381103+00:00 GitLab Importer Affected by VCID-5ukf-bhcd-suhw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/statamic/cms/CVE-2026-28425.yml 38.6.0
2026-06-01T09:48:35.224079+00:00 GitLab Importer Affected by VCID-kctx-wwrz-eyab https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/statamic/cms/CVE-2026-28424.yml 38.6.0
2026-06-01T09:48:32.589117+00:00 GitLab Importer Affected by VCID-cdfx-dkc6-suha https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/statamic/cms/CVE-2026-28423.yml 38.6.0
2026-05-31T10:54:21.743127+00:00 GithubOSV Importer Fixing VCID-2h8u-ckde-8fad https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-jxq9-79vj-rgvw/GHSA-jxq9-79vj-rgvw.json 38.6.0
2026-05-31T01:07:48.239044+00:00 GHSA Importer Fixing VCID-2h8u-ckde-8fad https://github.com/advisories/GHSA-jxq9-79vj-rgvw 38.6.0
2026-05-30T21:07:05.412742+00:00 GitLab Importer Fixing VCID-2h8u-ckde-8fad https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/statamic/cms/CVE-2026-27593.yml 38.6.0