Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/564914?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/564914?format=api", "purl": "pkg:composer/statamic/cms@3.0.0-beta.27", "type": "composer", "namespace": "statamic", "name": "cms", "version": "3.0.0-beta.27", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.73.21", "latest_non_vulnerable_version": "6.18.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90903?format=api", "vulnerability_id": "VCID-2jq7-5yxn-hubp", "summary": "Statamic has Stored XSS via SVG Sanitization Bypass\n### Impact\n\nStored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed.\n\n### Patches\n\nThis has been fixed in 5.73.14 and 6.7.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33172", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02606", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02538", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02553", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02608", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33172" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:46:09Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33172", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33172" }, { "reference_url": "https://github.com/advisories/GHSA-7rcv-55mj-chg7", "reference_id": "GHSA-7rcv-55mj-chg7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7rcv-55mj-chg7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112829?format=api", "purl": "pkg:composer/statamic/cms@5.73.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-vhz9-vavp-hyb6" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/112828?format=api", "purl": "pkg:composer/statamic/cms@6.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-vhz9-vavp-hyb6" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0" } ], "aliases": [ "CVE-2026-33172", "GHSA-7rcv-55mj-chg7" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2jq7-5yxn-hubp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48310?format=api", "vulnerability_id": "VCID-2pmt-5bu3-6qfd", "summary": "Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation\nStored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.\n\nThis affects:\n\n- Control panel users with permission to create or edit Collections and Taxonomies\n- Versions up to and including 5.22.0\n\nThe vulnerability can be exploited to:\n\n- Change a super admin's password (versions ≤ 5.21.0)\n- Change a super admin's email address to initiate password reset (version 5.22.0)\n- Gain unauthorized access to superadmin accounts\n\nThe attack requires:\n\n- An authenticated user with control panel and content creation permissions\n- A super admin to view the compromised content", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-64112", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10891", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10972", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11006", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11014", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-64112" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-30T17:57:49Z/" } ], "url": "https://github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.22.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.22.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64112", "reference_id": "CVE-2025-64112", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64112" }, { "reference_url": "https://github.com/advisories/GHSA-g59r-24g3-h7cm", "reference_id": "GHSA-g59r-24g3-h7cm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g59r-24g3-h7cm" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-g59r-24g3-h7cm", "reference_id": "GHSA-g59r-24g3-h7cm", "reference_type": "", "scores": [ { "value": "8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-30T17:57:49Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-g59r-24g3-h7cm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71300?format=api", "purl": "pkg:composer/statamic/cms@5.22.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-5q2z-t8ka-nfff" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-f9mc-yupq-nkdm" }, { "vulnerability": "VCID-gxvz-s2qn-uqbe" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-md5z-7r9y-u7bg" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-nax6-fhk7-rudm" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-wjgz-btnr-67cv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.22.1" } ], "aliases": [ "CVE-2025-64112", "GHSA-g59r-24g3-h7cm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2pmt-5bu3-6qfd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50459?format=api", "vulnerability_id": "VCID-5q2z-t8ka-nfff", "summary": "Statamic Vulnerable to Server-Side Request Forgery via Glide\nWhen Glide image manipulation is used in insecure mode (which is *not* the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28423", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07308", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07352", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07375", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07368", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28423" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.73.11", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.73.11" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v6.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v6.4.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28423", "reference_id": "CVE-2026-28423", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28423" }, { "reference_url": "https://github.com/advisories/GHSA-cwpp-325q-2cvp", "reference_id": "GHSA-cwpp-325q-2cvp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cwpp-325q-2cvp" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp", "reference_id": "GHSA-cwpp-325q-2cvp", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74366?format=api", "purl": "pkg:composer/statamic/cms@5.73.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/74329?format=api", "purl": "pkg:composer/statamic/cms@6.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-unnd-b7ra-jyf9" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0" } ], "aliases": [ "CVE-2026-28423", "GHSA-cwpp-325q-2cvp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5q2z-t8ka-nfff" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90789?format=api", "vulnerability_id": "VCID-69px-5kah-8bbx", "summary": "Statamic allows unauthorized content access through missing authorization in its revision controllers\n### Impact\nAuthenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data.\n\nUsers could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content.\n\n### Patches\nThis has been fixed in 5.73.16 and 6.7.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33887", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09931", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09834", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09918", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09945", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33887" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:54:14Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33887", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33887" }, { "reference_url": "https://github.com/advisories/GHSA-4hp7-3wxg-cv9q", "reference_id": "GHSA-4hp7-3wxg-cv9q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4hp7-3wxg-cv9q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74368?format=api", "purl": "pkg:composer/statamic/cms@5.73.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/74369?format=api", "purl": "pkg:composer/statamic/cms@6.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2" } ], "aliases": [ "CVE-2026-33887", "GHSA-4hp7-3wxg-cv9q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-69px-5kah-8bbx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46926?format=api", "vulnerability_id": "VCID-6pwu-1kkq-dkar", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nStatamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the control panel. Additionally, if the XSS is crafted in a specific way, the \"copy password reset link\" feature may be exploited to gain access to a user's password reset token and gain access to their account. The authorized user is required to execute the XSS in order for the vulnerability to occur. In versions 4.46.0 and 3.4.17, the XSS vulnerability has been patched, and the copy password reset link functionality has been disabled.", "references": [ { "reference_url": "http://packetstormsecurity.com/files/177133/Statamic-CMS-Cross-Site-Scripting.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/" } ], "url": "http://packetstormsecurity.com/files/177133/Statamic-CMS-Cross-Site-Scripting.html" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24570", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0144", "scoring_system": "epss", "scoring_elements": "0.81091", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0144", "scoring_system": "epss", "scoring_elements": "0.8109", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0144", "scoring_system": "epss", "scoring_elements": "0.81105", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.0144", "scoring_system": "epss", "scoring_elements": "0.81087", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0144", "scoring_system": "epss", "scoring_elements": "0.81094", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24570" }, { "reference_url": "http://seclists.org/fulldisclosure/2024/Feb/17", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/" } ], "url": "http://seclists.org/fulldisclosure/2024/Feb/17" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24570", "reference_id": "CVE-2024-24570", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24570" }, { "reference_url": "https://github.com/advisories/GHSA-vqxq-hvxw-9mv9", "reference_id": "GHSA-vqxq-hvxw-9mv9", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vqxq-hvxw-9mv9" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9", "reference_id": "GHSA-vqxq-hvxw-9mv9", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68671?format=api", "purl": "pkg:composer/statamic/cms@3.4.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-2pmt-5bu3-6qfd" }, { "vulnerability": "VCID-5q2z-t8ka-nfff" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-7jn5-qd6y-vbg9" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-f9mc-yupq-nkdm" }, { "vulnerability": "VCID-gxvz-s2qn-uqbe" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-md5z-7r9y-u7bg" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-nax6-fhk7-rudm" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-wjgz-btnr-67cv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/68672?format=api", "purl": "pkg:composer/statamic/cms@4.46.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-2pmt-5bu3-6qfd" }, { "vulnerability": "VCID-5q2z-t8ka-nfff" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-7jn5-qd6y-vbg9" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-f9mc-yupq-nkdm" }, { "vulnerability": "VCID-gxvz-s2qn-uqbe" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-md5z-7r9y-u7bg" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-nax6-fhk7-rudm" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-wjgz-btnr-67cv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.46.0" } ], "aliases": [ "CVE-2024-24570", "GHSA-vqxq-hvxw-9mv9" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6pwu-1kkq-dkar" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46381?format=api", "vulnerability_id": "VCID-7329-yjw5-nqgx", "summary": "Statamic CMS remote code execution via front-end form uploads\nStatmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the \"Forms\" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-47129", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05963", "scoring_system": "epss", "scoring_elements": "0.90831", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.05963", "scoring_system": "epss", "scoring_elements": "0.90845", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.05963", "scoring_system": "epss", "scoring_elements": "0.90829", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.05963", "scoring_system": "epss", "scoring_elements": "0.90834", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.05963", "scoring_system": "epss", "scoring_elements": "0.90833", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-47129" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/" } ], "url": "https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75" }, { "reference_url": "https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/" } ], "url": "https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47129", "reference_id": "CVE-2023-47129", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47129" }, { "reference_url": "https://github.com/advisories/GHSA-72hg-5wr5-rmfc", "reference_id": "GHSA-72hg-5wr5-rmfc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-72hg-5wr5-rmfc" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc", "reference_id": "GHSA-72hg-5wr5-rmfc", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67701?format=api", "purl": "pkg:composer/statamic/cms@3.4.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-2pmt-5bu3-6qfd" }, { "vulnerability": "VCID-5q2z-t8ka-nfff" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-6pwu-1kkq-dkar" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-7jn5-qd6y-vbg9" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-a56w-4c8c-jqd7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-f9mc-yupq-nkdm" }, { "vulnerability": "VCID-gxvz-s2qn-uqbe" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-md5z-7r9y-u7bg" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-nax6-fhk7-rudm" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-wjgz-btnr-67cv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" }, { "vulnerability": "VCID-z4dm-tpj4-5ya4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/67702?format=api", "purl": "pkg:composer/statamic/cms@4.33.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-2pmt-5bu3-6qfd" }, { "vulnerability": "VCID-5q2z-t8ka-nfff" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-6pwu-1kkq-dkar" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-7jn5-qd6y-vbg9" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-a56w-4c8c-jqd7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-f9mc-yupq-nkdm" }, { "vulnerability": "VCID-gxvz-s2qn-uqbe" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-md5z-7r9y-u7bg" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-nax6-fhk7-rudm" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-wjgz-btnr-67cv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" }, { "vulnerability": "VCID-z4dm-tpj4-5ya4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.33.0" } ], "aliases": [ "CVE-2023-47129", "GHSA-72hg-5wr5-rmfc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7329-yjw5-nqgx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91845?format=api", "vulnerability_id": "VCID-7fsn-ddsh-zbac", "summary": "Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag\n### Impact\n\nThe `user:reset_password_form` tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser.\n\n### Patches\n\nThis has been fixed in 5.73.16 and 6.7.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33883", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12814", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12695", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.1278", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12819", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33883" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-3jg4-p23x-p4qx", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:56:43Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-3jg4-p23x-p4qx" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33883", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33883" }, { "reference_url": "https://github.com/advisories/GHSA-3jg4-p23x-p4qx", "reference_id": "GHSA-3jg4-p23x-p4qx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3jg4-p23x-p4qx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74368?format=api", "purl": "pkg:composer/statamic/cms@5.73.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/74369?format=api", "purl": "pkg:composer/statamic/cms@6.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2" } ], "aliases": [ "CVE-2026-33883", "GHSA-3jg4-p23x-p4qx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7fsn-ddsh-zbac" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56236?format=api", "vulnerability_id": "VCID-7jn5-qd6y-vbg9", "summary": "Statamic CMS has a Path Traversal in Asset Upload\nAssets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52600", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.60138", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.60155", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.60168", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.60165", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52600" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/" } ], "url": "https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d" }, { "reference_url": "https://github.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346da", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/" } ], "url": "https://github.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346da" }, { "reference_url": "https://github.com/statamic/cms/commit/4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/" } ], "url": "https://github.com/statamic/cms/commit/4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52600", "reference_id": "CVE-2024-52600", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52600" }, { "reference_url": "https://github.com/advisories/GHSA-p7f6-8mcm-fwv3", "reference_id": "GHSA-p7f6-8mcm-fwv3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p7f6-8mcm-fwv3" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-p7f6-8mcm-fwv3", "reference_id": "GHSA-p7f6-8mcm-fwv3", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-p7f6-8mcm-fwv3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83309?format=api", "purl": "pkg:composer/statamic/cms@5.17.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-2pmt-5bu3-6qfd" }, { "vulnerability": "VCID-5q2z-t8ka-nfff" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-f9mc-yupq-nkdm" }, { "vulnerability": "VCID-gxvz-s2qn-uqbe" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-md5z-7r9y-u7bg" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-nax6-fhk7-rudm" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-wjgz-btnr-67cv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.17.0" } ], "aliases": [ "CVE-2024-52600", "GHSA-p7f6-8mcm-fwv3" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7jn5-qd6y-vbg9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91381?format=api", "vulnerability_id": "VCID-88c2-bant-c3f7", "summary": "Statamic is missing authorization check on taxonomy term creation via fieldtype\n### Impact\n\nLow-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint.\n\n### Patches\n\nThis has been fixed in 5.73.14 and 6.7.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33177", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02651", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02584", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.026", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02654", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33177" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:49:16Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33177", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33177" }, { "reference_url": "https://github.com/advisories/GHSA-wh3h-gvc4-cc2g", "reference_id": "GHSA-wh3h-gvc4-cc2g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wh3h-gvc4-cc2g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112829?format=api", "purl": "pkg:composer/statamic/cms@5.73.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-vhz9-vavp-hyb6" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/112828?format=api", "purl": "pkg:composer/statamic/cms@6.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-vhz9-vavp-hyb6" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0" } ], "aliases": [ "CVE-2026-33177", "GHSA-wh3h-gvc4-cc2g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-88c2-bant-c3f7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46388?format=api", "vulnerability_id": "VCID-a56w-4c8c-jqd7", "summary": "Statamic CMS vulnerable to remote code execution via form uploads\nStatamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the \"Forms\" feature, and asset upload fields in the control panel. Malicious users could leverage this vulnerability to upload and execute code. This issue has been patched in versions 3.4.14 and 4.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48217", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01048", "scoring_system": "epss", "scoring_elements": "0.77872", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.01048", "scoring_system": "epss", "scoring_elements": "0.77883", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.01048", "scoring_system": "epss", "scoring_elements": "0.77893", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.01048", "scoring_system": "epss", "scoring_elements": "0.7789", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.01048", "scoring_system": "epss", "scoring_elements": "0.77887", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48217" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-30T14:01:51Z/" } ], "url": "https://github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411" }, { "reference_url": "https://github.com/statamic/cms/commit/da28afde818d605179fbb63b96eabafabad876b6", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/commit/da28afde818d605179fbb63b96eabafabad876b6" }, { "reference_url": "https://github.com/statamic/cms/pull/8991", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/pull/8991" }, { "reference_url": "https://github.com/statamic/cms/pull/8992", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/pull/8992" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v3.4.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v3.4.14" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v4.34.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v4.34.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48217", "reference_id": "CVE-2023-48217", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48217" }, { "reference_url": "https://github.com/advisories/GHSA-2r53-9295-3m86", "reference_id": "GHSA-2r53-9295-3m86", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2r53-9295-3m86" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86", "reference_id": "GHSA-2r53-9295-3m86", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-30T14:01:51Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67718?format=api", "purl": "pkg:composer/statamic/cms@3.4.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-2pmt-5bu3-6qfd" }, { "vulnerability": "VCID-5q2z-t8ka-nfff" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-6pwu-1kkq-dkar" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-7jn5-qd6y-vbg9" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-f9mc-yupq-nkdm" }, { "vulnerability": "VCID-gxvz-s2qn-uqbe" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-md5z-7r9y-u7bg" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-nax6-fhk7-rudm" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-wjgz-btnr-67cv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" }, { "vulnerability": "VCID-z4dm-tpj4-5ya4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/661738?format=api", "purl": "pkg:composer/statamic/cms@4.0.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-2pmt-5bu3-6qfd" }, { "vulnerability": "VCID-5q2z-t8ka-nfff" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-7jn5-qd6y-vbg9" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-f9mc-yupq-nkdm" }, { "vulnerability": "VCID-gxvz-s2qn-uqbe" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-md5z-7r9y-u7bg" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-nax6-fhk7-rudm" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-wjgz-btnr-67cv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" }, { "vulnerability": "VCID-yure-1mrw-jfeu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/67719?format=api", "purl": "pkg:composer/statamic/cms@4.34.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-2pmt-5bu3-6qfd" }, { "vulnerability": "VCID-5q2z-t8ka-nfff" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-6pwu-1kkq-dkar" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-7jn5-qd6y-vbg9" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-f9mc-yupq-nkdm" }, { "vulnerability": "VCID-gxvz-s2qn-uqbe" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-md5z-7r9y-u7bg" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-nax6-fhk7-rudm" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-wjgz-btnr-67cv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" }, { "vulnerability": "VCID-z4dm-tpj4-5ya4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.34.0" } ], "aliases": [ "CVE-2023-48217", "GHSA-2r53-9295-3m86" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a56w-4c8c-jqd7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91628?format=api", "vulnerability_id": "VCID-dcz8-ptts-fudz", "summary": "Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential\n### Impact\nThe external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows.\n\n### Patches\nThis has been fixed in 5.73.16 and 6.7.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33885", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16665", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16541", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16623", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16661", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33885" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:59:41Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33885", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33885" }, { "reference_url": "https://github.com/advisories/GHSA-7f74-7q5w-hj4r", "reference_id": "GHSA-7f74-7q5w-hj4r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7f74-7q5w-hj4r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74368?format=api", "purl": "pkg:composer/statamic/cms@5.73.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/74369?format=api", "purl": "pkg:composer/statamic/cms@6.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2" } ], "aliases": [ "CVE-2026-33885", "GHSA-7f74-7q5w-hj4r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dcz8-ptts-fudz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42801?format=api", "vulnerability_id": "VCID-enub-vz6v-sqck", "summary": "Inadequate Encryption Strength\nStatamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire hash. The hash is not present in the response, however the presence or absence of a result confirms if the character is in the right position. The API has throttling enabled by default, making this a time intensive task. Both the REST API and the users endpoint need to be enabled, as they are disabled by default. The issue has been fixed in versions 3.2.39 and above, and 3.3.2 and above.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24784", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00268", "scoring_system": "epss", "scoring_elements": "0.50445", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00268", "scoring_system": "epss", "scoring_elements": "0.50409", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00268", "scoring_system": "epss", "scoring_elements": "0.5047", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00268", "scoring_system": "epss", "scoring_elements": "0.50477", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00268", "scoring_system": "epss", "scoring_elements": "0.50457", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00268", "scoring_system": "epss", "scoring_elements": "0.50428", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24784" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/issues/5604", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:26Z/" } ], "url": "https://github.com/statamic/cms/issues/5604" }, { "reference_url": "https://github.com/statamic/cms/pull/5568", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:26Z/" } ], "url": "https://github.com/statamic/cms/pull/5568" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24784", "reference_id": "CVE-2022-24784", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24784" }, { "reference_url": "https://github.com/advisories/GHSA-qcgx-7p5f-hxvr", "reference_id": "GHSA-qcgx-7p5f-hxvr", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qcgx-7p5f-hxvr" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr", "reference_id": "GHSA-qcgx-7p5f-hxvr", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:26Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61142?format=api", "purl": "pkg:composer/statamic/cms@3.2.39", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-2pmt-5bu3-6qfd" }, { "vulnerability": "VCID-5q2z-t8ka-nfff" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-6pwu-1kkq-dkar" }, { "vulnerability": "VCID-7329-yjw5-nqgx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-7jn5-qd6y-vbg9" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-a56w-4c8c-jqd7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-f9mc-yupq-nkdm" }, { "vulnerability": "VCID-gxvz-s2qn-uqbe" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-md5z-7r9y-u7bg" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-nax6-fhk7-rudm" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-wjgz-btnr-67cv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" }, { "vulnerability": "VCID-yure-1mrw-jfeu" }, { "vulnerability": "VCID-z4dm-tpj4-5ya4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.2.39" }, { "url": "http://public2.vulnerablecode.io/api/packages/61143?format=api", "purl": "pkg:composer/statamic/cms@3.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-2pmt-5bu3-6qfd" }, { "vulnerability": "VCID-5q2z-t8ka-nfff" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-6pwu-1kkq-dkar" }, { "vulnerability": "VCID-7329-yjw5-nqgx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-7jn5-qd6y-vbg9" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-a56w-4c8c-jqd7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-f9mc-yupq-nkdm" }, { "vulnerability": "VCID-gxvz-s2qn-uqbe" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-md5z-7r9y-u7bg" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-nax6-fhk7-rudm" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-wjgz-btnr-67cv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" }, { "vulnerability": "VCID-yure-1mrw-jfeu" }, { "vulnerability": "VCID-z4dm-tpj4-5ya4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.3.2" } ], "aliases": [ "CVE-2022-24784", "GHSA-qcgx-7p5f-hxvr" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-enub-vz6v-sqck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50464?format=api", "vulnerability_id": "VCID-f9mc-yupq-nkdm", "summary": "Statamic vulnerable to privilege escalation via stored cross-site scripting\nStored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28426", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02143", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02156", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02175", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02168", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28426" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.73.11", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.73.11" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v6.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v6.4.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28426", "reference_id": "CVE-2026-28426", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28426" }, { "reference_url": "https://github.com/advisories/GHSA-5vrj-wf7v-5wr7", "reference_id": "GHSA-5vrj-wf7v-5wr7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5vrj-wf7v-5wr7" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7", "reference_id": "GHSA-5vrj-wf7v-5wr7", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74366?format=api", "purl": "pkg:composer/statamic/cms@5.73.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/74329?format=api", "purl": "pkg:composer/statamic/cms@6.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-unnd-b7ra-jyf9" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0" } ], "aliases": [ "CVE-2026-28426", "GHSA-5vrj-wf7v-5wr7" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f9mc-yupq-nkdm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50460?format=api", "vulnerability_id": "VCID-gxvz-s2qn-uqbe", "summary": "Statamic's missing authorization allows access to email addresses\nUser email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the “view users” permission.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28424", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13082", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13156", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13196", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13193", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28424" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.73.11", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.73.11" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v6.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v6.4.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28424", "reference_id": "CVE-2026-28424", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28424" }, { "reference_url": "https://github.com/advisories/GHSA-w878-f8c6-7r63", "reference_id": "GHSA-w878-f8c6-7r63", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w878-f8c6-7r63" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63", "reference_id": "GHSA-w878-f8c6-7r63", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74366?format=api", "purl": "pkg:composer/statamic/cms@5.73.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/74329?format=api", "purl": "pkg:composer/statamic/cms@6.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-unnd-b7ra-jyf9" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0" } ], "aliases": [ "CVE-2026-28424", "GHSA-w878-f8c6-7r63" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gxvz-s2qn-uqbe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91411?format=api", "vulnerability_id": "VCID-kjqn-zv4f-zyak", "summary": "Statamic's Markdown preview endpoint exposes sensitive user data\n### Impact\nThe markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes.\n\n### Patches\nThis has been fixed in 5.73.16 and 6.7.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33882", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.28226", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.28093", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.28136", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.28176", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33882" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:42Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33882", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33882" }, { "reference_url": "https://github.com/advisories/GHSA-cvh3-23vq-w7h4", "reference_id": "GHSA-cvh3-23vq-w7h4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cvh3-23vq-w7h4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74368?format=api", "purl": "pkg:composer/statamic/cms@5.73.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/74369?format=api", "purl": "pkg:composer/statamic/cms@6.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2" } ], "aliases": [ "CVE-2026-33882", "GHSA-cvh3-23vq-w7h4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kjqn-zv4f-zyak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50271?format=api", "vulnerability_id": "VCID-md5z-7r9y-u7bg", "summary": "Statamic affected by privilege escalation via stored cross-site scripting\nStored XSS vulnerability in `html` fieldtypes allow authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27196", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02641", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02659", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02712", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02707", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27196" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/" } ], "url": "https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b" }, { "reference_url": "https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/" } ], "url": "https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27196", "reference_id": "CVE-2026-27196", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27196" }, { "reference_url": "https://github.com/advisories/GHSA-8r7r-f4gm-wcpq", "reference_id": "GHSA-8r7r-f4gm-wcpq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8r7r-f4gm-wcpq" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq", "reference_id": "GHSA-8r7r-f4gm-wcpq", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74164?format=api", "purl": "pkg:composer/statamic/cms@5.73.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-5q2z-t8ka-nfff" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-f9mc-yupq-nkdm" }, { "vulnerability": "VCID-gxvz-s2qn-uqbe" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-wjgz-btnr-67cv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/74163?format=api", "purl": "pkg:composer/statamic/cms@6.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-5q2z-t8ka-nfff" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-9yv7-85t6-mkcj" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-f9mc-yupq-nkdm" }, { "vulnerability": "VCID-gxvz-s2qn-uqbe" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-unnd-b7ra-jyf9" }, { "vulnerability": "VCID-wjgz-btnr-67cv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.3.2" } ], "aliases": [ "CVE-2026-27196", "GHSA-8r7r-f4gm-wcpq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-md5z-7r9y-u7bg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89129?format=api", "vulnerability_id": "VCID-n1wb-964r-zubv", "summary": "Statamic: Unsafe method invocation via query value resolution allows data destruction\n### Impact\n\nManipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts.\n\nThe Control Panel requires authentication with minimal permissions in order to exploit. e.g. \"view entries\" permission to delete entries, or \"view users\" permission to delete users, etc.\n\nThe REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too.\n\nSites that enable the REST or GraphQL API without authentication should treat patching as critical priority.\n\n### Patches\n\nThis has been fixed in 5.73.20 and 6.13.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41175", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00105", "scoring_system": "epss", "scoring_elements": "0.2819", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00105", "scoring_system": "epss", "scoring_elements": "0.28057", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00105", "scoring_system": "epss", "scoring_elements": "0.28101", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00105", "scoring_system": "epss", "scoring_elements": "0.28141", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41175" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T13:56:00Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41175", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41175" }, { "reference_url": "https://github.com/advisories/GHSA-4jjr-vmv7-wh4w", "reference_id": "GHSA-4jjr-vmv7-wh4w", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4jjr-vmv7-wh4w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110184?format=api", "purl": "pkg:composer/statamic/cms@5.73.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/110185?format=api", "purl": "pkg:composer/statamic/cms@6.13.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.13.0" } ], "aliases": [ "CVE-2026-41175", "GHSA-4jjr-vmv7-wh4w" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n1wb-964r-zubv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50113?format=api", "vulnerability_id": "VCID-nax6-fhk7-rudm", "summary": "Statamic CMS's missing authorization allows access to assets\nUsers without permission to view assets are able are able to download them and view their metadata.\n\nLogged-out users and users without permission to access the control panel are unable to take advantage of this.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25633", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02467", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02484", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.0254", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02539", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25633" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/" } ], "url": "https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a" }, { "reference_url": "https://github.com/statamic/cms/pull/13883", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/pull/13883" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.73.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.73.6" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v6.2.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v6.2.5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25633", "reference_id": "CVE-2026-25633", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25633" }, { "reference_url": "https://github.com/advisories/GHSA-gwmx-9gcj-332h", "reference_id": "GHSA-gwmx-9gcj-332h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gwmx-9gcj-332h" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h", "reference_id": "GHSA-gwmx-9gcj-332h", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74003?format=api", "purl": "pkg:composer/statamic/cms@5.73.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-5q2z-t8ka-nfff" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-f9mc-yupq-nkdm" }, { "vulnerability": "VCID-gxvz-s2qn-uqbe" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-md5z-7r9y-u7bg" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-wjgz-btnr-67cv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/74004?format=api", "purl": "pkg:composer/statamic/cms@6.2.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-5q2z-t8ka-nfff" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-9yv7-85t6-mkcj" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-f9mc-yupq-nkdm" }, { "vulnerability": "VCID-gxvz-s2qn-uqbe" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-md5z-7r9y-u7bg" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-unnd-b7ra-jyf9" }, { "vulnerability": "VCID-wjgz-btnr-67cv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.2.5" } ], "aliases": [ "CVE-2026-25633", "GHSA-gwmx-9gcj-332h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nax6-fhk7-rudm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50462?format=api", "vulnerability_id": "VCID-pf25-j1qp-nygr", "summary": "Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs\nAn authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability.\n\nExploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28425", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00188", "scoring_system": "epss", "scoring_elements": "0.40475", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00188", "scoring_system": "epss", "scoring_elements": "0.40504", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00188", "scoring_system": "epss", "scoring_elements": "0.40531", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00188", "scoring_system": "epss", "scoring_elements": "0.40529", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28425" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.73.16", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.73.16" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v6.7.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v6.7.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28425", "reference_id": "CVE-2026-28425", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28425" }, { "reference_url": "https://github.com/advisories/GHSA-cpv7-q2wx-m8rw", "reference_id": "GHSA-cpv7-q2wx-m8rw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cpv7-q2wx-m8rw" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw", "reference_id": "GHSA-cpv7-q2wx-m8rw", "reference_type": "", "scores": [ { "value": "8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:36:43Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74368?format=api", "purl": "pkg:composer/statamic/cms@5.73.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/74369?format=api", "purl": "pkg:composer/statamic/cms@6.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2" } ], "aliases": [ "CVE-2026-28425", "GHSA-cpv7-q2wx-m8rw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pf25-j1qp-nygr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91788?format=api", "vulnerability_id": "VCID-saqn-jmc9-mudb", "summary": "Statamic's live preview token bypasses content protection for unrelated entries\n### Impact\nAn authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for.\n\n### Patches\nThis has been fixed in 5.73.16 and 6.7.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33884", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12317", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12199", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12281", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12316", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33884" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:37:18Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33884", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33884" }, { "reference_url": "https://github.com/advisories/GHSA-8vwx-ccf6-5wg2", "reference_id": "GHSA-8vwx-ccf6-5wg2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8vwx-ccf6-5wg2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74368?format=api", "purl": "pkg:composer/statamic/cms@5.73.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/74369?format=api", "purl": "pkg:composer/statamic/cms@6.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2" } ], "aliases": [ "CVE-2026-33884", "GHSA-8vwx-ccf6-5wg2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-saqn-jmc9-mudb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91359?format=api", "vulnerability_id": "VCID-tff1-wegz-pbc9", "summary": "Statamic has a path traversal in file dictionary fieldtype\n### Impact\n\nAuthenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration parameter in the fieldtype's endpoint.\n\n### Patches\n\nThis has been fixed in 5.73.14 and 6.7.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33171", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06469", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06405", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06451", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06461", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33171" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T20:52:53Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33171", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33171" }, { "reference_url": "https://github.com/advisories/GHSA-qm7r-wwq7-6f85", "reference_id": "GHSA-qm7r-wwq7-6f85", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qm7r-wwq7-6f85" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112829?format=api", "purl": "pkg:composer/statamic/cms@5.73.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-vhz9-vavp-hyb6" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/112828?format=api", "purl": "pkg:composer/statamic/cms@6.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-vhz9-vavp-hyb6" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0" } ], "aliases": [ "CVE-2026-33171", "GHSA-qm7r-wwq7-6f85" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tff1-wegz-pbc9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50346?format=api", "vulnerability_id": "VCID-wjgz-btnr-67cv", "summary": "Statamic is vulnerable to account takeover via password reset link injection\nAn attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf.\n\nThe attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27593", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04356", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04306", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04334", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04344", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27593" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/" } ], "url": "https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e" }, { "reference_url": "https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/" } ], "url": "https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be" }, { "reference_url": "https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/" } ], "url": "https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v5.73.10", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v5.73.10" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v6.3.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v6.3.3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27593", "reference_id": "CVE-2026-27593", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27593" }, { "reference_url": "https://github.com/advisories/GHSA-jxq9-79vj-rgvw", "reference_id": "GHSA-jxq9-79vj-rgvw", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jxq9-79vj-rgvw" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw", "reference_id": "GHSA-jxq9-79vj-rgvw", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74235?format=api", "purl": "pkg:composer/statamic/cms@5.73.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-5q2z-t8ka-nfff" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-f9mc-yupq-nkdm" }, { "vulnerability": "VCID-gxvz-s2qn-uqbe" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.10" }, { "url": "http://public2.vulnerablecode.io/api/packages/74236?format=api", "purl": "pkg:composer/statamic/cms@6.7.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-vhz9-vavp-hyb6" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.1" } ], "aliases": [ "CVE-2026-27593", "GHSA-jxq9-79vj-rgvw" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wjgz-btnr-67cv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/92794?format=api", "vulnerability_id": "VCID-xyrx-z921-8qdg", "summary": "Statamic CMS vulnerable to email enumeration via forgot password endpoint\n### Impact\n\nResponses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks.\n\n### Patches\n\nThis has been fixed in 5.73.21 and 6.15.0. The forgot password forms now return the same generic response regardless of whether the submitted email matches a registered user.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44306", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11575", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11456", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11537", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11571", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44306" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-m24v-f7g5-gq67", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T18:15:50Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-m24v-f7g5-gq67" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44306", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44306" }, { "reference_url": "https://github.com/advisories/GHSA-m24v-f7g5-gq67", "reference_id": "GHSA-m24v-f7g5-gq67", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m24v-f7g5-gq67" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/115925?format=api", "purl": "pkg:composer/statamic/cms@5.73.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/115926?format=api", "purl": "pkg:composer/statamic/cms@6.15.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.15.0" } ], "aliases": [ "CVE-2026-44306", "GHSA-m24v-f7g5-gq67" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xyrx-z921-8qdg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45585?format=api", "vulnerability_id": "VCID-yure-1mrw-jfeu", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nStatamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the `sanitize` function. Version 4.10.0 contains a patch for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36828", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53538", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53563", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53575", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53567", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36828" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/" } ], "url": "https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15" }, { "reference_url": "https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php#L36-L40", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/" } ], "url": "https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php#L36-L40" }, { "reference_url": "https://github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/" } ], "url": "https://github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d" }, { "reference_url": "https://github.com/statamic/cms/pull/8408", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/" } ], "url": "https://github.com/statamic/cms/pull/8408" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v4.10.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/" } ], "url": "https://github.com/statamic/cms/releases/tag/v4.10.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36828", "reference_id": "CVE-2023-36828", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36828" }, { "reference_url": "https://github.com/advisories/GHSA-6r5g-cq4q-327g", "reference_id": "GHSA-6r5g-cq4q-327g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6r5g-cq4q-327g" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g", "reference_id": "GHSA-6r5g-cq4q-327g", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65943?format=api", "purl": "pkg:composer/statamic/cms@4.10.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-2pmt-5bu3-6qfd" }, { "vulnerability": "VCID-5q2z-t8ka-nfff" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-6pwu-1kkq-dkar" }, { "vulnerability": "VCID-7329-yjw5-nqgx" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-7jn5-qd6y-vbg9" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-a56w-4c8c-jqd7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-f9mc-yupq-nkdm" }, { "vulnerability": "VCID-gxvz-s2qn-uqbe" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-md5z-7r9y-u7bg" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-nax6-fhk7-rudm" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-wjgz-btnr-67cv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" }, { "vulnerability": "VCID-z4dm-tpj4-5ya4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.10.0" } ], "aliases": [ "CVE-2023-36828", "GHSA-6r5g-cq4q-327g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yure-1mrw-jfeu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46463?format=api", "vulnerability_id": "VCID-z4dm-tpj4-5ya4", "summary": "Cross-site Scripting via uploaded assets\nStatamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the \"Forms\" feature containing an assets field, or within the control panel which requires authentication. This issue has been patched on 3.4.15 and 4.36.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48701", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00953", "scoring_system": "epss", "scoring_elements": "0.7679", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00953", "scoring_system": "epss", "scoring_elements": "0.76802", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00953", "scoring_system": "epss", "scoring_elements": "0.7678", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00953", "scoring_system": "epss", "scoring_elements": "0.76794", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00953", "scoring_system": "epss", "scoring_elements": "0.768", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48701" }, { "reference_url": "https://github.com/statamic/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v3.4.15", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v3.4.15" }, { "reference_url": "https://github.com/statamic/cms/releases/tag/v4.36.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/releases/tag/v4.36.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48701", "reference_id": "CVE-2023-48701", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48701" }, { "reference_url": "https://github.com/advisories/GHSA-8jjh-j3c2-cjcv", "reference_id": "GHSA-8jjh-j3c2-cjcv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8jjh-j3c2-cjcv" }, { "reference_url": "https://github.com/statamic/cms/security/advisories/GHSA-8jjh-j3c2-cjcv", "reference_id": "GHSA-8jjh-j3c2-cjcv", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/statamic/cms/security/advisories/GHSA-8jjh-j3c2-cjcv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67836?format=api", "purl": "pkg:composer/statamic/cms@3.4.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-2pmt-5bu3-6qfd" }, { "vulnerability": "VCID-5q2z-t8ka-nfff" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-6pwu-1kkq-dkar" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-7jn5-qd6y-vbg9" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-f9mc-yupq-nkdm" }, { "vulnerability": "VCID-gxvz-s2qn-uqbe" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-md5z-7r9y-u7bg" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-nax6-fhk7-rudm" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-wjgz-btnr-67cv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/67837?format=api", "purl": "pkg:composer/statamic/cms@4.36.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2jq7-5yxn-hubp" }, { "vulnerability": "VCID-2pmt-5bu3-6qfd" }, { "vulnerability": "VCID-5q2z-t8ka-nfff" }, { "vulnerability": "VCID-69px-5kah-8bbx" }, { "vulnerability": "VCID-6pwu-1kkq-dkar" }, { "vulnerability": "VCID-7fsn-ddsh-zbac" }, { "vulnerability": "VCID-7jn5-qd6y-vbg9" }, { "vulnerability": "VCID-88c2-bant-c3f7" }, { "vulnerability": "VCID-dcz8-ptts-fudz" }, { "vulnerability": "VCID-f9mc-yupq-nkdm" }, { "vulnerability": "VCID-gxvz-s2qn-uqbe" }, { "vulnerability": "VCID-kjqn-zv4f-zyak" }, { "vulnerability": "VCID-md5z-7r9y-u7bg" }, { "vulnerability": "VCID-n1wb-964r-zubv" }, { "vulnerability": "VCID-nax6-fhk7-rudm" }, { "vulnerability": "VCID-pf25-j1qp-nygr" }, { "vulnerability": "VCID-saqn-jmc9-mudb" }, { "vulnerability": "VCID-tff1-wegz-pbc9" }, { "vulnerability": "VCID-wjgz-btnr-67cv" }, { "vulnerability": "VCID-xyrx-z921-8qdg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.36.0" } ], "aliases": [ "CVE-2023-48701", "GHSA-8jjh-j3c2-cjcv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z4dm-tpj4-5ya4" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.0.0-beta.27" }