Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:composer/statamic/cms@6.7.0

Type composer

Namespace statamic

Name cms

Version 6.7.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 6.15.0

Latest_non_vulnerable_version 6.18.1

Affected_by_vulnerabilities

url VCID-2ueq-n7pd-1yav

vulnerability_id VCID-2ueq-n7pd-1yav

summary Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel requires authentication with minimal permissions in order to exploit. e.g. "view entries" permission to delete entries, or "view users" permission to delete users, etc. The REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too. Sites that enable the REST or GraphQL API without authentication should treat patching as critical priority. This has been fixed in 5.73.20 and 6.13.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-41175

reference_id

reference_type

scores

value	0.00105
scoring_system	epss
scoring_elements	0.28308
published_at	2026-06-13T12:55:00Z

value	0.00105
scoring_system	epss
scoring_elements	0.28087
published_at	2026-06-11T12:55:00Z

value	0.00105
scoring_system	epss
scoring_elements	0.28284
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-41175

reference_url

https://github.com/statamic/cms

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/statamic/cms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-41175

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-41175

reference_url

https://github.com/advisories/GHSA-4jjr-vmv7-wh4w

reference_id

GHSA-4jjr-vmv7-wh4w

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-4jjr-vmv7-wh4w

reference_url

https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w

reference_id

GHSA-4jjr-vmv7-wh4w

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T13:56:00Z/

url

https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w

fixed_packages

url pkg:composer/statamic/cms@6.13.0

purl pkg:composer/statamic/cms@6.13.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-g8pq-2yub-kkc8

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.13.0

aliases CVE-2026-41175, GHSA-4jjr-vmv7-wh4w

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2ueq-n7pd-1yav

url VCID-53nt-msa9-p7b2

vulnerability_id VCID-53nt-msa9-p7b2

summary Statamic is a Laravel and Git powered content management system (CMS). Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content. This has been fixed in 5.73.16 and 6.7.2.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33886

reference_id

reference_type

scores

value	0.00077
scoring_system	epss
scoring_elements	0.23371
published_at	2026-06-13T12:55:00Z

value	0.00077
scoring_system	epss
scoring_elements	0.23163
published_at	2026-06-11T12:55:00Z

value	0.00077
scoring_system	epss
scoring_elements	0.23358
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33886

reference_url

https://github.com/statamic/cms

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/statamic/cms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33886

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33886

reference_url

https://github.com/advisories/GHSA-gcqf-5x9f-hq7f

reference_id

GHSA-gcqf-5x9f-hq7f

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-gcqf-5x9f-hq7f

reference_url

https://github.com/statamic/cms/security/advisories/GHSA-gcqf-5x9f-hq7f

reference_id

GHSA-gcqf-5x9f-hq7f

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:40Z/

url

https://github.com/statamic/cms/security/advisories/GHSA-gcqf-5x9f-hq7f

fixed_packages

url pkg:composer/statamic/cms@6.7.2

purl pkg:composer/statamic/cms@6.7.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ueq-n7pd-1yav

vulnerability	VCID-g8pq-2yub-kkc8

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2

aliases CVE-2026-33886, GHSA-gcqf-5x9f-hq7f

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-53nt-msa9-p7b2

url VCID-9chh-y51z-uqdy

vulnerability_id VCID-9chh-y51z-uqdy

summary Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the `user:reset_password_form` tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser. This has been fixed in 5.73.16 and 6.7.2.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33883

reference_id

reference_type

scores

value	0.00041
scoring_system	epss
scoring_elements	0.12918
published_at	2026-06-13T12:55:00Z

value	0.00041
scoring_system	epss
scoring_elements	0.12811
published_at	2026-06-11T12:55:00Z

value	0.00041
scoring_system	epss
scoring_elements	0.12907
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33883

reference_url

https://github.com/statamic/cms

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/statamic/cms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33883

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33883

reference_url

https://github.com/advisories/GHSA-3jg4-p23x-p4qx

reference_id

GHSA-3jg4-p23x-p4qx

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3jg4-p23x-p4qx

reference_url

https://github.com/statamic/cms/security/advisories/GHSA-3jg4-p23x-p4qx

reference_id

GHSA-3jg4-p23x-p4qx

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:56:43Z/

url

https://github.com/statamic/cms/security/advisories/GHSA-3jg4-p23x-p4qx

fixed_packages

url pkg:composer/statamic/cms@6.7.2

purl pkg:composer/statamic/cms@6.7.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ueq-n7pd-1yav

vulnerability	VCID-g8pq-2yub-kkc8

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2

aliases CVE-2026-33883, GHSA-3jg4-p23x-p4qx

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9chh-y51z-uqdy

url VCID-acat-8pec-yycn

vulnerability_id VCID-acat-8pec-yycn

summary Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. This has been fixed in 5.73.16 and 6.7.2.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33885

reference_id

reference_type

scores

value	0.00052
scoring_system	epss
scoring_elements	0.16794
published_at	2026-06-13T12:55:00Z

value	0.00052
scoring_system	epss
scoring_elements	0.16632
published_at	2026-06-11T12:55:00Z

value	0.00052
scoring_system	epss
scoring_elements	0.16781
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33885

reference_url

https://github.com/statamic/cms

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/statamic/cms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33885

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33885

reference_url

https://github.com/advisories/GHSA-7f74-7q5w-hj4r

reference_id

GHSA-7f74-7q5w-hj4r

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-7f74-7q5w-hj4r

reference_url

https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r

reference_id

GHSA-7f74-7q5w-hj4r

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:59:41Z/

url

https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r

fixed_packages

url pkg:composer/statamic/cms@6.7.2

purl pkg:composer/statamic/cms@6.7.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ueq-n7pd-1yav

vulnerability	VCID-g8pq-2yub-kkc8

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2

aliases CVE-2026-33885, GHSA-7f74-7q5w-hj4r

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-acat-8pec-yycn

url VCID-c8nx-d391-63bw

vulnerability_id VCID-c8nx-d391-63bw

summary Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes. This has been fixed in 5.73.16 and 6.7.2.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33882

reference_id

reference_type

scores

value	0.00106
scoring_system	epss
scoring_elements	0.28344
published_at	2026-06-13T12:55:00Z

value	0.00106
scoring_system	epss
scoring_elements	0.28124
published_at	2026-06-11T12:55:00Z

value	0.00106
scoring_system	epss
scoring_elements	0.2832
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33882

reference_url

https://github.com/statamic/cms

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/statamic/cms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33882

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33882

reference_url

https://github.com/advisories/GHSA-cvh3-23vq-w7h4

reference_id

GHSA-cvh3-23vq-w7h4

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-cvh3-23vq-w7h4

reference_url

https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4

reference_id

GHSA-cvh3-23vq-w7h4

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:42Z/

url

https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4

fixed_packages

url pkg:composer/statamic/cms@6.7.2

purl pkg:composer/statamic/cms@6.7.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ueq-n7pd-1yav

vulnerability	VCID-g8pq-2yub-kkc8

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2

aliases CVE-2026-33882, GHSA-cvh3-23vq-w7h4

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c8nx-d391-63bw

url VCID-crhs-g4rj-y3du

vulnerability_id VCID-crhs-g4rj-y3du

summary Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16 and 6.7.2.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33884

reference_id

reference_type

scores

value	0.0004
scoring_system	epss
scoring_elements	0.12387
published_at	2026-06-13T12:55:00Z

value	0.0004
scoring_system	epss
scoring_elements	0.12288
published_at	2026-06-11T12:55:00Z

value	0.0004
scoring_system	epss
scoring_elements	0.12379
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33884

reference_url

https://github.com/statamic/cms

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/statamic/cms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33884

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33884

reference_url

https://github.com/advisories/GHSA-8vwx-ccf6-5wg2

reference_id

GHSA-8vwx-ccf6-5wg2

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8vwx-ccf6-5wg2

reference_url

https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2

reference_id

GHSA-8vwx-ccf6-5wg2

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:37:18Z/

url

https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2

fixed_packages

url pkg:composer/statamic/cms@6.7.2

purl pkg:composer/statamic/cms@6.7.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ueq-n7pd-1yav

vulnerability	VCID-g8pq-2yub-kkc8

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2

aliases CVE-2026-33884, GHSA-8vwx-ccf6-5wg2

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-crhs-g4rj-y3du

url VCID-g8pq-2yub-kkc8

vulnerability_id VCID-g8pq-2yub-kkc8

summary Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks. This vulnerability is fixed in 5.73.21 and 6.15.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-44306

reference_id

reference_type

scores

value	0.00037
scoring_system	epss
scoring_elements	0.11544
published_at	2026-06-11T12:55:00Z

value	0.00037
scoring_system	epss
scoring_elements	0.11621
published_at	2026-06-12T12:55:00Z

value	0.00041
scoring_system	epss
scoring_elements	0.12857
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-44306

reference_url

https://github.com/statamic/cms

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/statamic/cms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-44306

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-44306

reference_url

https://github.com/advisories/GHSA-m24v-f7g5-gq67

reference_id

GHSA-m24v-f7g5-gq67

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-m24v-f7g5-gq67

reference_url

https://github.com/statamic/cms/security/advisories/GHSA-m24v-f7g5-gq67

reference_id

GHSA-m24v-f7g5-gq67

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T18:15:50Z/

url

https://github.com/statamic/cms/security/advisories/GHSA-m24v-f7g5-gq67

fixed_packages

url	pkg:composer/statamic/cms@6.15.0
purl	pkg:composer/statamic/cms@6.15.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.15.0

aliases CVE-2026-44306, GHSA-m24v-f7g5-gq67

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g8pq-2yub-kkc8

url VCID-kajb-u17y-7ufu

vulnerability_id VCID-kajb-u17y-7ufu

summary Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data. Users could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content. This has been fixed in 5.73.16 and 6.7.2.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33887

reference_id

reference_type

scores

value	0.00032
scoring_system	epss
scoring_elements	0.09998
published_at	2026-06-13T12:55:00Z

value	0.00032
scoring_system	epss
scoring_elements	0.09945
published_at	2026-06-11T12:55:00Z

value	0.00032
scoring_system	epss
scoring_elements	0.09993
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33887

reference_url

https://github.com/statamic/cms

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/statamic/cms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33887

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33887

reference_url

https://github.com/advisories/GHSA-4hp7-3wxg-cv9q

reference_id

GHSA-4hp7-3wxg-cv9q

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-4hp7-3wxg-cv9q

reference_url

https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q

reference_id

GHSA-4hp7-3wxg-cv9q

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:54:14Z/

url

https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q

fixed_packages

url pkg:composer/statamic/cms@6.7.2

purl pkg:composer/statamic/cms@6.7.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ueq-n7pd-1yav

vulnerability	VCID-g8pq-2yub-kkc8

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2

aliases CVE-2026-33887, GHSA-4hp7-3wxg-cv9q

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kajb-u17y-7ufu

Fixing_vulnerabilities

url VCID-3afh-kvfu-q3f6

vulnerability_id VCID-3afh-kvfu-q3f6

summary Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33172

reference_id

reference_type

scores

value	0.00014
scoring_system	epss
scoring_elements	0.02517
published_at	2026-06-13T12:55:00Z

value	0.00014
scoring_system	epss
scoring_elements	0.02524
published_at	2026-06-11T12:55:00Z

value	0.00014
scoring_system	epss
scoring_elements	0.02527
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33172

reference_url

https://github.com/statamic/cms

reference_id

reference_type

scores

value	8.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/statamic/cms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33172

reference_id

reference_type

scores

value	8.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33172

reference_url

https://github.com/advisories/GHSA-7rcv-55mj-chg7

reference_id

GHSA-7rcv-55mj-chg7

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-7rcv-55mj-chg7

reference_url

https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7

reference_id

GHSA-7rcv-55mj-chg7

reference_type

scores

value	8.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:46:09Z/

url

https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7

fixed_packages

url pkg:composer/statamic/cms@5.73.14

purl pkg:composer/statamic/cms@5.73.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ueq-n7pd-1yav

vulnerability	VCID-53nt-msa9-p7b2

vulnerability	VCID-9chh-y51z-uqdy

vulnerability	VCID-acat-8pec-yycn

vulnerability	VCID-c8nx-d391-63bw

vulnerability	VCID-crhs-g4rj-y3du

vulnerability	VCID-g8pq-2yub-kkc8

vulnerability	VCID-kajb-u17y-7ufu

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14

url pkg:composer/statamic/cms@6.7.0

purl pkg:composer/statamic/cms@6.7.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ueq-n7pd-1yav

vulnerability	VCID-53nt-msa9-p7b2

vulnerability	VCID-9chh-y51z-uqdy

vulnerability	VCID-acat-8pec-yycn

vulnerability	VCID-c8nx-d391-63bw

vulnerability	VCID-crhs-g4rj-y3du

vulnerability	VCID-g8pq-2yub-kkc8

vulnerability	VCID-kajb-u17y-7ufu

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0

aliases CVE-2026-33172, GHSA-7rcv-55mj-chg7

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3afh-kvfu-q3f6

url VCID-5vp8-dye1-wbd9

vulnerability_id VCID-5vp8-dye1-wbd9

summary Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration parameter in the fieldtype's endpoint. This has been fixed in 5.73.14 and 6.7.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33171

reference_id

reference_type

scores

value	0.00022
scoring_system	epss
scoring_elements	0.0645
published_at	2026-06-13T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.06442
published_at	2026-06-11T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.06461
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33171

reference_url

https://github.com/statamic/cms

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/statamic/cms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33171

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33171

reference_url

https://github.com/advisories/GHSA-qm7r-wwq7-6f85

reference_id

GHSA-qm7r-wwq7-6f85

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-qm7r-wwq7-6f85

reference_url

https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85

reference_id

GHSA-qm7r-wwq7-6f85

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T20:52:53Z/

url

https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85

fixed_packages

url pkg:composer/statamic/cms@5.73.14

purl pkg:composer/statamic/cms@5.73.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ueq-n7pd-1yav

vulnerability	VCID-53nt-msa9-p7b2

vulnerability	VCID-9chh-y51z-uqdy

vulnerability	VCID-acat-8pec-yycn

vulnerability	VCID-c8nx-d391-63bw

vulnerability	VCID-crhs-g4rj-y3du

vulnerability	VCID-g8pq-2yub-kkc8

vulnerability	VCID-kajb-u17y-7ufu

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14

url pkg:composer/statamic/cms@6.7.0

purl pkg:composer/statamic/cms@6.7.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ueq-n7pd-1yav

vulnerability	VCID-53nt-msa9-p7b2

vulnerability	VCID-9chh-y51z-uqdy

vulnerability	VCID-acat-8pec-yycn

vulnerability	VCID-c8nx-d391-63bw

vulnerability	VCID-crhs-g4rj-y3du

vulnerability	VCID-g8pq-2yub-kkc8

vulnerability	VCID-kajb-u17y-7ufu

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0

aliases CVE-2026-33171, GHSA-qm7r-wwq7-6f85

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5vp8-dye1-wbd9

url VCID-pxjn-93a2-53fs

vulnerability_id VCID-pxjn-93a2-53fs

summary Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. This has been fixed in 5.73.14 and 6.7.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33177

reference_id

reference_type

scores

value	0.00014
scoring_system	epss
scoring_elements	0.02568
published_at	2026-06-13T12:55:00Z

value	0.00014
scoring_system	epss
scoring_elements	0.02576
published_at	2026-06-11T12:55:00Z

value	0.00014
scoring_system	epss
scoring_elements	0.02578
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33177

reference_url

https://github.com/statamic/cms

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/statamic/cms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33177

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33177

reference_url

https://github.com/advisories/GHSA-wh3h-gvc4-cc2g

reference_id

GHSA-wh3h-gvc4-cc2g

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-wh3h-gvc4-cc2g

reference_url

https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g

reference_id

GHSA-wh3h-gvc4-cc2g

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:49:16Z/

url

https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g

fixed_packages

url pkg:composer/statamic/cms@5.73.14

purl pkg:composer/statamic/cms@5.73.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ueq-n7pd-1yav

vulnerability	VCID-53nt-msa9-p7b2

vulnerability	VCID-9chh-y51z-uqdy

vulnerability	VCID-acat-8pec-yycn

vulnerability	VCID-c8nx-d391-63bw

vulnerability	VCID-crhs-g4rj-y3du

vulnerability	VCID-g8pq-2yub-kkc8

vulnerability	VCID-kajb-u17y-7ufu

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14

url pkg:composer/statamic/cms@6.7.0

purl pkg:composer/statamic/cms@6.7.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ueq-n7pd-1yav

vulnerability	VCID-53nt-msa9-p7b2

vulnerability	VCID-9chh-y51z-uqdy

vulnerability	VCID-acat-8pec-yycn

vulnerability	VCID-c8nx-d391-63bw

vulnerability	VCID-crhs-g4rj-y3du

vulnerability	VCID-g8pq-2yub-kkc8

vulnerability	VCID-kajb-u17y-7ufu

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0

aliases CVE-2026-33177, GHSA-wh3h-gvc4-cc2g

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pxjn-93a2-53fs

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0

Package Instance