Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/statamic/cms@3.0.0-beta.35
Typecomposer
Namespacestatamic
Namecms
Version3.0.0-beta.35
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version5.73.21
Latest_non_vulnerable_version6.18.1
Affected_by_vulnerabilities
0
url VCID-2jq7-5yxn-hubp
vulnerability_id VCID-2jq7-5yxn-hubp
summary 
Statamic has Stored XSS via SVG Sanitization Bypass
### Impact

Stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed.

### Patches

This has been fixed in 5.73.14 and 6.7.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33172
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02499
published_at 2026-06-09T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02606
published_at 2026-06-05T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02608
published_at 2026-06-06T12:55:00Z
3
value 0.00014
scoring_system epss
scoring_elements 0.02553
published_at 2026-06-07T12:55:00Z
4
value 0.00014
scoring_system epss
scoring_elements 0.02538
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33172
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:46:09Z/
url https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33172
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33172
4
reference_url https://github.com/advisories/GHSA-7rcv-55mj-chg7
reference_id GHSA-7rcv-55mj-chg7
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7rcv-55mj-chg7
fixed_packages
0
url pkg:composer/statamic/cms@5.73.14
purl pkg:composer/statamic/cms@5.73.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-69px-5kah-8bbx
1
vulnerability VCID-7fsn-ddsh-zbac
2
vulnerability VCID-dcz8-ptts-fudz
3
vulnerability VCID-kjqn-zv4f-zyak
4
vulnerability VCID-n1wb-964r-zubv
5
vulnerability VCID-saqn-jmc9-mudb
6
vulnerability VCID-vhz9-vavp-hyb6
7
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14
1
url pkg:composer/statamic/cms@6.7.0
purl pkg:composer/statamic/cms@6.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-69px-5kah-8bbx
1
vulnerability VCID-7fsn-ddsh-zbac
2
vulnerability VCID-dcz8-ptts-fudz
3
vulnerability VCID-kjqn-zv4f-zyak
4
vulnerability VCID-n1wb-964r-zubv
5
vulnerability VCID-saqn-jmc9-mudb
6
vulnerability VCID-vhz9-vavp-hyb6
7
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0
aliases CVE-2026-33172, GHSA-7rcv-55mj-chg7
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2jq7-5yxn-hubp
1
url VCID-2pmt-5bu3-6qfd
vulnerability_id VCID-2pmt-5bu3-6qfd
summary 
Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation
Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.

This affects:

- Control panel users with permission to create or edit Collections and Taxonomies
- Versions up to and including 5.22.0

The vulnerability can be exploited to:

- Change a super admin's password (versions ≤ 5.21.0)
- Change a super admin's email address to initiate password reset (version 5.22.0)
- Gain unauthorized access to superadmin accounts

The attack requires:

- An authenticated user with control panel and content creation permissions
- A super admin to view the compromised content
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-64112
reference_id
reference_type
scores
0
value 0.00036
scoring_system epss
scoring_elements 0.10891
published_at 2026-06-08T12:55:00Z
1
value 0.00036
scoring_system epss
scoring_elements 0.11006
published_at 2026-06-06T12:55:00Z
2
value 0.00036
scoring_system epss
scoring_elements 0.11014
published_at 2026-06-05T12:55:00Z
3
value 0.00036
scoring_system epss
scoring_elements 0.10908
published_at 2026-06-09T12:55:00Z
4
value 0.00036
scoring_system epss
scoring_elements 0.10972
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-64112
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1
reference_id
reference_type
scores
0
value 8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-30T17:57:49Z/
url https://github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1
3
reference_url https://github.com/statamic/cms/releases/tag/v5.22.1
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/releases/tag/v5.22.1
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-64112
reference_id CVE-2025-64112
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-64112
5
reference_url https://github.com/advisories/GHSA-g59r-24g3-h7cm
reference_id GHSA-g59r-24g3-h7cm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g59r-24g3-h7cm
6
reference_url https://github.com/statamic/cms/security/advisories/GHSA-g59r-24g3-h7cm
reference_id GHSA-g59r-24g3-h7cm
reference_type
scores
0
value 8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-30T17:57:49Z/
url https://github.com/statamic/cms/security/advisories/GHSA-g59r-24g3-h7cm
fixed_packages
0
url pkg:composer/statamic/cms@5.22.1
purl pkg:composer/statamic/cms@5.22.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-5q2z-t8ka-nfff
2
vulnerability VCID-69px-5kah-8bbx
3
vulnerability VCID-7fsn-ddsh-zbac
4
vulnerability VCID-88c2-bant-c3f7
5
vulnerability VCID-dcz8-ptts-fudz
6
vulnerability VCID-f9mc-yupq-nkdm
7
vulnerability VCID-gxvz-s2qn-uqbe
8
vulnerability VCID-kjqn-zv4f-zyak
9
vulnerability VCID-md5z-7r9y-u7bg
10
vulnerability VCID-n1wb-964r-zubv
11
vulnerability VCID-nax6-fhk7-rudm
12
vulnerability VCID-pf25-j1qp-nygr
13
vulnerability VCID-saqn-jmc9-mudb
14
vulnerability VCID-tff1-wegz-pbc9
15
vulnerability VCID-wjgz-btnr-67cv
16
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.22.1
aliases CVE-2025-64112, GHSA-g59r-24g3-h7cm
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2pmt-5bu3-6qfd
2
url VCID-5q2z-t8ka-nfff
vulnerability_id VCID-5q2z-t8ka-nfff
summary 
Statamic Vulnerable to Server-Side Request Forgery via Glide
When Glide image manipulation is used in insecure mode (which is *not* the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28423
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.07352
published_at 2026-06-07T12:55:00Z
1
value 0.00025
scoring_system epss
scoring_elements 0.07321
published_at 2026-06-09T12:55:00Z
2
value 0.00025
scoring_system epss
scoring_elements 0.07308
published_at 2026-06-08T12:55:00Z
3
value 0.00025
scoring_system epss
scoring_elements 0.07375
published_at 2026-06-06T12:55:00Z
4
value 0.00025
scoring_system epss
scoring_elements 0.07368
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28423
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/releases/tag/v5.73.11
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/
url https://github.com/statamic/cms/releases/tag/v5.73.11
3
reference_url https://github.com/statamic/cms/releases/tag/v6.4.0
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/
url https://github.com/statamic/cms/releases/tag/v6.4.0
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28423
reference_id CVE-2026-28423
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28423
5
reference_url https://github.com/advisories/GHSA-cwpp-325q-2cvp
reference_id GHSA-cwpp-325q-2cvp
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cwpp-325q-2cvp
6
reference_url https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp
reference_id GHSA-cwpp-325q-2cvp
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/
url https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp
fixed_packages
0
url pkg:composer/statamic/cms@5.73.11
purl pkg:composer/statamic/cms@5.73.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-69px-5kah-8bbx
2
vulnerability VCID-7fsn-ddsh-zbac
3
vulnerability VCID-88c2-bant-c3f7
4
vulnerability VCID-dcz8-ptts-fudz
5
vulnerability VCID-kjqn-zv4f-zyak
6
vulnerability VCID-n1wb-964r-zubv
7
vulnerability VCID-pf25-j1qp-nygr
8
vulnerability VCID-saqn-jmc9-mudb
9
vulnerability VCID-tff1-wegz-pbc9
10
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11
1
url pkg:composer/statamic/cms@6.4.0
purl pkg:composer/statamic/cms@6.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-69px-5kah-8bbx
2
vulnerability VCID-7fsn-ddsh-zbac
3
vulnerability VCID-88c2-bant-c3f7
4
vulnerability VCID-dcz8-ptts-fudz
5
vulnerability VCID-kjqn-zv4f-zyak
6
vulnerability VCID-n1wb-964r-zubv
7
vulnerability VCID-pf25-j1qp-nygr
8
vulnerability VCID-saqn-jmc9-mudb
9
vulnerability VCID-tff1-wegz-pbc9
10
vulnerability VCID-unnd-b7ra-jyf9
11
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0
aliases CVE-2026-28423, GHSA-cwpp-325q-2cvp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5q2z-t8ka-nfff
3
url VCID-69px-5kah-8bbx
vulnerability_id VCID-69px-5kah-8bbx
summary 
Statamic allows unauthorized content access through missing authorization in its revision controllers
### Impact
Authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data.

Users could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content.

### Patches
This has been fixed in 5.73.16 and 6.7.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33887
reference_id
reference_type
scores
0
value 0.00032
scoring_system epss
scoring_elements 0.09866
published_at 2026-06-09T12:55:00Z
1
value 0.00032
scoring_system epss
scoring_elements 0.09931
published_at 2026-06-05T12:55:00Z
2
value 0.00032
scoring_system epss
scoring_elements 0.09945
published_at 2026-06-06T12:55:00Z
3
value 0.00032
scoring_system epss
scoring_elements 0.09918
published_at 2026-06-07T12:55:00Z
4
value 0.00032
scoring_system epss
scoring_elements 0.09834
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33887
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:54:14Z/
url https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33887
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33887
4
reference_url https://github.com/advisories/GHSA-4hp7-3wxg-cv9q
reference_id GHSA-4hp7-3wxg-cv9q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4hp7-3wxg-cv9q
fixed_packages
0
url pkg:composer/statamic/cms@5.73.16
purl pkg:composer/statamic/cms@5.73.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-n1wb-964r-zubv
1
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16
1
url pkg:composer/statamic/cms@6.7.2
purl pkg:composer/statamic/cms@6.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-n1wb-964r-zubv
1
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2
aliases CVE-2026-33887, GHSA-4hp7-3wxg-cv9q
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-69px-5kah-8bbx
4
url VCID-6pwu-1kkq-dkar
vulnerability_id VCID-6pwu-1kkq-dkar
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the control panel. Additionally, if the XSS is crafted in a specific way, the "copy password reset link" feature may be exploited to gain access to a user's password reset token and gain access to their account. The authorized user is required to execute the XSS in order for the vulnerability to occur. In versions 4.46.0 and 3.4.17, the XSS vulnerability has been patched, and the copy password reset link functionality has been disabled.
references
0
reference_url http://packetstormsecurity.com/files/177133/Statamic-CMS-Cross-Site-Scripting.html
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/
url http://packetstormsecurity.com/files/177133/Statamic-CMS-Cross-Site-Scripting.html
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-24570
reference_id
reference_type
scores
0
value 0.0144
scoring_system epss
scoring_elements 0.81091
published_at 2026-06-07T12:55:00Z
1
value 0.0144
scoring_system epss
scoring_elements 0.8109
published_at 2026-06-05T12:55:00Z
2
value 0.0144
scoring_system epss
scoring_elements 0.81105
published_at 2026-06-09T12:55:00Z
3
value 0.0144
scoring_system epss
scoring_elements 0.81087
published_at 2026-06-08T12:55:00Z
4
value 0.0144
scoring_system epss
scoring_elements 0.81094
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-24570
2
reference_url http://seclists.org/fulldisclosure/2024/Feb/17
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/
url http://seclists.org/fulldisclosure/2024/Feb/17
3
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-24570
reference_id CVE-2024-24570
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-24570
5
reference_url https://github.com/advisories/GHSA-vqxq-hvxw-9mv9
reference_id GHSA-vqxq-hvxw-9mv9
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vqxq-hvxw-9mv9
6
reference_url https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9
reference_id GHSA-vqxq-hvxw-9mv9
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/
url https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9
fixed_packages
0
url pkg:composer/statamic/cms@3.4.17
purl pkg:composer/statamic/cms@3.4.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-2pmt-5bu3-6qfd
2
vulnerability VCID-5q2z-t8ka-nfff
3
vulnerability VCID-69px-5kah-8bbx
4
vulnerability VCID-7fsn-ddsh-zbac
5
vulnerability VCID-7jn5-qd6y-vbg9
6
vulnerability VCID-88c2-bant-c3f7
7
vulnerability VCID-dcz8-ptts-fudz
8
vulnerability VCID-f9mc-yupq-nkdm
9
vulnerability VCID-gxvz-s2qn-uqbe
10
vulnerability VCID-kjqn-zv4f-zyak
11
vulnerability VCID-md5z-7r9y-u7bg
12
vulnerability VCID-n1wb-964r-zubv
13
vulnerability VCID-nax6-fhk7-rudm
14
vulnerability VCID-pf25-j1qp-nygr
15
vulnerability VCID-saqn-jmc9-mudb
16
vulnerability VCID-tff1-wegz-pbc9
17
vulnerability VCID-wjgz-btnr-67cv
18
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.17
1
url pkg:composer/statamic/cms@4.46.0
purl pkg:composer/statamic/cms@4.46.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-2pmt-5bu3-6qfd
2
vulnerability VCID-5q2z-t8ka-nfff
3
vulnerability VCID-69px-5kah-8bbx
4
vulnerability VCID-7fsn-ddsh-zbac
5
vulnerability VCID-7jn5-qd6y-vbg9
6
vulnerability VCID-88c2-bant-c3f7
7
vulnerability VCID-dcz8-ptts-fudz
8
vulnerability VCID-f9mc-yupq-nkdm
9
vulnerability VCID-gxvz-s2qn-uqbe
10
vulnerability VCID-kjqn-zv4f-zyak
11
vulnerability VCID-md5z-7r9y-u7bg
12
vulnerability VCID-n1wb-964r-zubv
13
vulnerability VCID-nax6-fhk7-rudm
14
vulnerability VCID-pf25-j1qp-nygr
15
vulnerability VCID-saqn-jmc9-mudb
16
vulnerability VCID-tff1-wegz-pbc9
17
vulnerability VCID-wjgz-btnr-67cv
18
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.46.0
aliases CVE-2024-24570, GHSA-vqxq-hvxw-9mv9
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6pwu-1kkq-dkar
5
url VCID-7329-yjw5-nqgx
vulnerability_id VCID-7329-yjw5-nqgx
summary 
Statamic CMS remote code execution via front-end form uploads
Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-47129
reference_id
reference_type
scores
0
value 0.05963
scoring_system epss
scoring_elements 0.90831
published_at 2026-06-07T12:55:00Z
1
value 0.05963
scoring_system epss
scoring_elements 0.90845
published_at 2026-06-09T12:55:00Z
2
value 0.05963
scoring_system epss
scoring_elements 0.90829
published_at 2026-06-08T12:55:00Z
3
value 0.05963
scoring_system epss
scoring_elements 0.90834
published_at 2026-06-06T12:55:00Z
4
value 0.05963
scoring_system epss
scoring_elements 0.90833
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-47129
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/
url https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75
3
reference_url https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/
url https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-47129
reference_id CVE-2023-47129
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-47129
5
reference_url https://github.com/advisories/GHSA-72hg-5wr5-rmfc
reference_id GHSA-72hg-5wr5-rmfc
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-72hg-5wr5-rmfc
6
reference_url https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc
reference_id GHSA-72hg-5wr5-rmfc
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/
url https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc
fixed_packages
0
url pkg:composer/statamic/cms@3.4.13
purl pkg:composer/statamic/cms@3.4.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-2pmt-5bu3-6qfd
2
vulnerability VCID-5q2z-t8ka-nfff
3
vulnerability VCID-69px-5kah-8bbx
4
vulnerability VCID-6pwu-1kkq-dkar
5
vulnerability VCID-7fsn-ddsh-zbac
6
vulnerability VCID-7jn5-qd6y-vbg9
7
vulnerability VCID-88c2-bant-c3f7
8
vulnerability VCID-a56w-4c8c-jqd7
9
vulnerability VCID-dcz8-ptts-fudz
10
vulnerability VCID-f9mc-yupq-nkdm
11
vulnerability VCID-gxvz-s2qn-uqbe
12
vulnerability VCID-kjqn-zv4f-zyak
13
vulnerability VCID-md5z-7r9y-u7bg
14
vulnerability VCID-n1wb-964r-zubv
15
vulnerability VCID-nax6-fhk7-rudm
16
vulnerability VCID-pf25-j1qp-nygr
17
vulnerability VCID-saqn-jmc9-mudb
18
vulnerability VCID-tff1-wegz-pbc9
19
vulnerability VCID-wjgz-btnr-67cv
20
vulnerability VCID-xyrx-z921-8qdg
21
vulnerability VCID-z4dm-tpj4-5ya4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.13
1
url pkg:composer/statamic/cms@4.33.0
purl pkg:composer/statamic/cms@4.33.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-2pmt-5bu3-6qfd
2
vulnerability VCID-5q2z-t8ka-nfff
3
vulnerability VCID-69px-5kah-8bbx
4
vulnerability VCID-6pwu-1kkq-dkar
5
vulnerability VCID-7fsn-ddsh-zbac
6
vulnerability VCID-7jn5-qd6y-vbg9
7
vulnerability VCID-88c2-bant-c3f7
8
vulnerability VCID-a56w-4c8c-jqd7
9
vulnerability VCID-dcz8-ptts-fudz
10
vulnerability VCID-f9mc-yupq-nkdm
11
vulnerability VCID-gxvz-s2qn-uqbe
12
vulnerability VCID-kjqn-zv4f-zyak
13
vulnerability VCID-md5z-7r9y-u7bg
14
vulnerability VCID-n1wb-964r-zubv
15
vulnerability VCID-nax6-fhk7-rudm
16
vulnerability VCID-pf25-j1qp-nygr
17
vulnerability VCID-saqn-jmc9-mudb
18
vulnerability VCID-tff1-wegz-pbc9
19
vulnerability VCID-wjgz-btnr-67cv
20
vulnerability VCID-xyrx-z921-8qdg
21
vulnerability VCID-z4dm-tpj4-5ya4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.33.0
aliases CVE-2023-47129, GHSA-72hg-5wr5-rmfc
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7329-yjw5-nqgx
6
url VCID-7fsn-ddsh-zbac
vulnerability_id VCID-7fsn-ddsh-zbac
summary 
Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag
### Impact

The `user:reset_password_form` tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser.

### Patches

This has been fixed in 5.73.16 and 6.7.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33883
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12726
published_at 2026-06-09T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.12814
published_at 2026-06-05T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.12819
published_at 2026-06-06T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.1278
published_at 2026-06-07T12:55:00Z
4
value 0.00041
scoring_system epss
scoring_elements 0.12695
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33883
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/security/advisories/GHSA-3jg4-p23x-p4qx
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:56:43Z/
url https://github.com/statamic/cms/security/advisories/GHSA-3jg4-p23x-p4qx
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33883
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33883
4
reference_url https://github.com/advisories/GHSA-3jg4-p23x-p4qx
reference_id GHSA-3jg4-p23x-p4qx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3jg4-p23x-p4qx
fixed_packages
0
url pkg:composer/statamic/cms@5.73.16
purl pkg:composer/statamic/cms@5.73.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-n1wb-964r-zubv
1
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16
1
url pkg:composer/statamic/cms@6.7.2
purl pkg:composer/statamic/cms@6.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-n1wb-964r-zubv
1
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2
aliases CVE-2026-33883, GHSA-3jg4-p23x-p4qx
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7fsn-ddsh-zbac
7
url VCID-7jn5-qd6y-vbg9
vulnerability_id VCID-7jn5-qd6y-vbg9
summary 
Statamic CMS has a Path Traversal in Asset Upload
Assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-52600
reference_id
reference_type
scores
0
value 0.00386
scoring_system epss
scoring_elements 0.60138
published_at 2026-06-08T12:55:00Z
1
value 0.00386
scoring_system epss
scoring_elements 0.60156
published_at 2026-06-09T12:55:00Z
2
value 0.00386
scoring_system epss
scoring_elements 0.60168
published_at 2026-06-06T12:55:00Z
3
value 0.00386
scoring_system epss
scoring_elements 0.60165
published_at 2026-06-05T12:55:00Z
4
value 0.00386
scoring_system epss
scoring_elements 0.60155
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-52600
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/
url https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d
3
reference_url https://github.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346da
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/
url https://github.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346da
4
reference_url https://github.com/statamic/cms/commit/4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/
url https://github.com/statamic/cms/commit/4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-52600
reference_id CVE-2024-52600
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-52600
6
reference_url https://github.com/advisories/GHSA-p7f6-8mcm-fwv3
reference_id GHSA-p7f6-8mcm-fwv3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p7f6-8mcm-fwv3
7
reference_url https://github.com/statamic/cms/security/advisories/GHSA-p7f6-8mcm-fwv3
reference_id GHSA-p7f6-8mcm-fwv3
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/
url https://github.com/statamic/cms/security/advisories/GHSA-p7f6-8mcm-fwv3
fixed_packages
0
url pkg:composer/statamic/cms@5.17.0
purl pkg:composer/statamic/cms@5.17.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-2pmt-5bu3-6qfd
2
vulnerability VCID-5q2z-t8ka-nfff
3
vulnerability VCID-69px-5kah-8bbx
4
vulnerability VCID-7fsn-ddsh-zbac
5
vulnerability VCID-88c2-bant-c3f7
6
vulnerability VCID-dcz8-ptts-fudz
7
vulnerability VCID-f9mc-yupq-nkdm
8
vulnerability VCID-gxvz-s2qn-uqbe
9
vulnerability VCID-kjqn-zv4f-zyak
10
vulnerability VCID-md5z-7r9y-u7bg
11
vulnerability VCID-n1wb-964r-zubv
12
vulnerability VCID-nax6-fhk7-rudm
13
vulnerability VCID-pf25-j1qp-nygr
14
vulnerability VCID-saqn-jmc9-mudb
15
vulnerability VCID-tff1-wegz-pbc9
16
vulnerability VCID-wjgz-btnr-67cv
17
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.17.0
aliases CVE-2024-52600, GHSA-p7f6-8mcm-fwv3
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7jn5-qd6y-vbg9
8
url VCID-88c2-bant-c3f7
vulnerability_id VCID-88c2-bant-c3f7
summary 
Statamic is missing authorization check on taxonomy term creation via fieldtype
### Impact

Low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint.

### Patches

This has been fixed in 5.73.14 and 6.7.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33177
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.0255
published_at 2026-06-09T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02651
published_at 2026-06-05T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02654
published_at 2026-06-06T12:55:00Z
3
value 0.00014
scoring_system epss
scoring_elements 0.026
published_at 2026-06-07T12:55:00Z
4
value 0.00014
scoring_system epss
scoring_elements 0.02584
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33177
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:49:16Z/
url https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33177
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33177
4
reference_url https://github.com/advisories/GHSA-wh3h-gvc4-cc2g
reference_id GHSA-wh3h-gvc4-cc2g
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wh3h-gvc4-cc2g
fixed_packages
0
url pkg:composer/statamic/cms@5.73.14
purl pkg:composer/statamic/cms@5.73.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-69px-5kah-8bbx
1
vulnerability VCID-7fsn-ddsh-zbac
2
vulnerability VCID-dcz8-ptts-fudz
3
vulnerability VCID-kjqn-zv4f-zyak
4
vulnerability VCID-n1wb-964r-zubv
5
vulnerability VCID-saqn-jmc9-mudb
6
vulnerability VCID-vhz9-vavp-hyb6
7
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14
1
url pkg:composer/statamic/cms@6.7.0
purl pkg:composer/statamic/cms@6.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-69px-5kah-8bbx
1
vulnerability VCID-7fsn-ddsh-zbac
2
vulnerability VCID-dcz8-ptts-fudz
3
vulnerability VCID-kjqn-zv4f-zyak
4
vulnerability VCID-n1wb-964r-zubv
5
vulnerability VCID-saqn-jmc9-mudb
6
vulnerability VCID-vhz9-vavp-hyb6
7
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0
aliases CVE-2026-33177, GHSA-wh3h-gvc4-cc2g
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-88c2-bant-c3f7
9
url VCID-a56w-4c8c-jqd7
vulnerability_id VCID-a56w-4c8c-jqd7
summary 
Statamic CMS vulnerable to remote code execution via form uploads
Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fields in the control panel. Malicious users could leverage this vulnerability to upload and execute code. This issue has been patched in versions 3.4.14 and 4.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-48217
reference_id
reference_type
scores
0
value 0.01048
scoring_system epss
scoring_elements 0.77872
published_at 2026-06-08T12:55:00Z
1
value 0.01048
scoring_system epss
scoring_elements 0.77883
published_at 2026-06-07T12:55:00Z
2
value 0.01048
scoring_system epss
scoring_elements 0.77893
published_at 2026-06-06T12:55:00Z
3
value 0.01048
scoring_system epss
scoring_elements 0.7789
published_at 2026-06-09T12:55:00Z
4
value 0.01048
scoring_system epss
scoring_elements 0.77887
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-48217
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-30T14:01:51Z/
url https://github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411
3
reference_url https://github.com/statamic/cms/commit/da28afde818d605179fbb63b96eabafabad876b6
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/commit/da28afde818d605179fbb63b96eabafabad876b6
4
reference_url https://github.com/statamic/cms/pull/8991
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/pull/8991
5
reference_url https://github.com/statamic/cms/pull/8992
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/pull/8992
6
reference_url https://github.com/statamic/cms/releases/tag/v3.4.14
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/releases/tag/v3.4.14
7
reference_url https://github.com/statamic/cms/releases/tag/v4.34.0
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/releases/tag/v4.34.0
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-48217
reference_id CVE-2023-48217
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-48217
9
reference_url https://github.com/advisories/GHSA-2r53-9295-3m86
reference_id GHSA-2r53-9295-3m86
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2r53-9295-3m86
10
reference_url https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86
reference_id GHSA-2r53-9295-3m86
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-30T14:01:51Z/
url https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86
fixed_packages
0
url pkg:composer/statamic/cms@3.4.14
purl pkg:composer/statamic/cms@3.4.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-2pmt-5bu3-6qfd
2
vulnerability VCID-5q2z-t8ka-nfff
3
vulnerability VCID-69px-5kah-8bbx
4
vulnerability VCID-6pwu-1kkq-dkar
5
vulnerability VCID-7fsn-ddsh-zbac
6
vulnerability VCID-7jn5-qd6y-vbg9
7
vulnerability VCID-88c2-bant-c3f7
8
vulnerability VCID-dcz8-ptts-fudz
9
vulnerability VCID-f9mc-yupq-nkdm
10
vulnerability VCID-gxvz-s2qn-uqbe
11
vulnerability VCID-kjqn-zv4f-zyak
12
vulnerability VCID-md5z-7r9y-u7bg
13
vulnerability VCID-n1wb-964r-zubv
14
vulnerability VCID-nax6-fhk7-rudm
15
vulnerability VCID-pf25-j1qp-nygr
16
vulnerability VCID-saqn-jmc9-mudb
17
vulnerability VCID-tff1-wegz-pbc9
18
vulnerability VCID-wjgz-btnr-67cv
19
vulnerability VCID-xyrx-z921-8qdg
20
vulnerability VCID-z4dm-tpj4-5ya4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.14
1
url pkg:composer/statamic/cms@4.0.0-alpha.1
purl pkg:composer/statamic/cms@4.0.0-alpha.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-2pmt-5bu3-6qfd
2
vulnerability VCID-5q2z-t8ka-nfff
3
vulnerability VCID-69px-5kah-8bbx
4
vulnerability VCID-7fsn-ddsh-zbac
5
vulnerability VCID-7jn5-qd6y-vbg9
6
vulnerability VCID-88c2-bant-c3f7
7
vulnerability VCID-dcz8-ptts-fudz
8
vulnerability VCID-f9mc-yupq-nkdm
9
vulnerability VCID-gxvz-s2qn-uqbe
10
vulnerability VCID-kjqn-zv4f-zyak
11
vulnerability VCID-md5z-7r9y-u7bg
12
vulnerability VCID-n1wb-964r-zubv
13
vulnerability VCID-nax6-fhk7-rudm
14
vulnerability VCID-pf25-j1qp-nygr
15
vulnerability VCID-saqn-jmc9-mudb
16
vulnerability VCID-tff1-wegz-pbc9
17
vulnerability VCID-wjgz-btnr-67cv
18
vulnerability VCID-xyrx-z921-8qdg
19
vulnerability VCID-yure-1mrw-jfeu
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.0.0-alpha.1
2
url pkg:composer/statamic/cms@4.34.0
purl pkg:composer/statamic/cms@4.34.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-2pmt-5bu3-6qfd
2
vulnerability VCID-5q2z-t8ka-nfff
3
vulnerability VCID-69px-5kah-8bbx
4
vulnerability VCID-6pwu-1kkq-dkar
5
vulnerability VCID-7fsn-ddsh-zbac
6
vulnerability VCID-7jn5-qd6y-vbg9
7
vulnerability VCID-88c2-bant-c3f7
8
vulnerability VCID-dcz8-ptts-fudz
9
vulnerability VCID-f9mc-yupq-nkdm
10
vulnerability VCID-gxvz-s2qn-uqbe
11
vulnerability VCID-kjqn-zv4f-zyak
12
vulnerability VCID-md5z-7r9y-u7bg
13
vulnerability VCID-n1wb-964r-zubv
14
vulnerability VCID-nax6-fhk7-rudm
15
vulnerability VCID-pf25-j1qp-nygr
16
vulnerability VCID-saqn-jmc9-mudb
17
vulnerability VCID-tff1-wegz-pbc9
18
vulnerability VCID-wjgz-btnr-67cv
19
vulnerability VCID-xyrx-z921-8qdg
20
vulnerability VCID-z4dm-tpj4-5ya4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.34.0
aliases CVE-2023-48217, GHSA-2r53-9295-3m86
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a56w-4c8c-jqd7
10
url VCID-dcz8-ptts-fudz
vulnerability_id VCID-dcz8-ptts-fudz
summary 
Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential
### Impact
The external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows.

### Patches
This has been fixed in 5.73.16 and 6.7.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33885
reference_id
reference_type
scores
0
value 0.00052
scoring_system epss
scoring_elements 0.16556
published_at 2026-06-09T12:55:00Z
1
value 0.00052
scoring_system epss
scoring_elements 0.16665
published_at 2026-06-05T12:55:00Z
2
value 0.00052
scoring_system epss
scoring_elements 0.16661
published_at 2026-06-06T12:55:00Z
3
value 0.00052
scoring_system epss
scoring_elements 0.16623
published_at 2026-06-07T12:55:00Z
4
value 0.00052
scoring_system epss
scoring_elements 0.16541
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33885
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:59:41Z/
url https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33885
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33885
4
reference_url https://github.com/advisories/GHSA-7f74-7q5w-hj4r
reference_id GHSA-7f74-7q5w-hj4r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7f74-7q5w-hj4r
fixed_packages
0
url pkg:composer/statamic/cms@5.73.16
purl pkg:composer/statamic/cms@5.73.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-n1wb-964r-zubv
1
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16
1
url pkg:composer/statamic/cms@6.7.2
purl pkg:composer/statamic/cms@6.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-n1wb-964r-zubv
1
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2
aliases CVE-2026-33885, GHSA-7f74-7q5w-hj4r
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dcz8-ptts-fudz
11
url VCID-enub-vz6v-sqck
vulnerability_id VCID-enub-vz6v-sqck
summary 
Inadequate Encryption Strength
Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire hash. The hash is not present in the response, however the presence or absence of a result confirms if the character is in the right position. The API has throttling enabled by default, making this a time intensive task. Both the REST API and the users endpoint need to be enabled, as they are disabled by default. The issue has been fixed in versions 3.2.39 and above, and 3.3.2 and above.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-24784
reference_id
reference_type
scores
0
value 0.00268
scoring_system epss
scoring_elements 0.50445
published_at 2026-06-09T12:55:00Z
1
value 0.00268
scoring_system epss
scoring_elements 0.50409
published_at 2026-06-04T12:55:00Z
2
value 0.00268
scoring_system epss
scoring_elements 0.5047
published_at 2026-06-05T12:55:00Z
3
value 0.00268
scoring_system epss
scoring_elements 0.50477
published_at 2026-06-06T12:55:00Z
4
value 0.00268
scoring_system epss
scoring_elements 0.50457
published_at 2026-06-07T12:55:00Z
5
value 0.00268
scoring_system epss
scoring_elements 0.50428
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-24784
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/issues/5604
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:26Z/
url https://github.com/statamic/cms/issues/5604
3
reference_url https://github.com/statamic/cms/pull/5568
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:26Z/
url https://github.com/statamic/cms/pull/5568
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-24784
reference_id CVE-2022-24784
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-24784
5
reference_url https://github.com/advisories/GHSA-qcgx-7p5f-hxvr
reference_id GHSA-qcgx-7p5f-hxvr
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qcgx-7p5f-hxvr
6
reference_url https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr
reference_id GHSA-qcgx-7p5f-hxvr
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:26Z/
url https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr
fixed_packages
0
url pkg:composer/statamic/cms@3.2.39
purl pkg:composer/statamic/cms@3.2.39
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-2pmt-5bu3-6qfd
2
vulnerability VCID-5q2z-t8ka-nfff
3
vulnerability VCID-69px-5kah-8bbx
4
vulnerability VCID-6pwu-1kkq-dkar
5
vulnerability VCID-7329-yjw5-nqgx
6
vulnerability VCID-7fsn-ddsh-zbac
7
vulnerability VCID-7jn5-qd6y-vbg9
8
vulnerability VCID-88c2-bant-c3f7
9
vulnerability VCID-a56w-4c8c-jqd7
10
vulnerability VCID-dcz8-ptts-fudz
11
vulnerability VCID-f9mc-yupq-nkdm
12
vulnerability VCID-gxvz-s2qn-uqbe
13
vulnerability VCID-kjqn-zv4f-zyak
14
vulnerability VCID-md5z-7r9y-u7bg
15
vulnerability VCID-n1wb-964r-zubv
16
vulnerability VCID-nax6-fhk7-rudm
17
vulnerability VCID-pf25-j1qp-nygr
18
vulnerability VCID-saqn-jmc9-mudb
19
vulnerability VCID-tff1-wegz-pbc9
20
vulnerability VCID-wjgz-btnr-67cv
21
vulnerability VCID-xyrx-z921-8qdg
22
vulnerability VCID-yure-1mrw-jfeu
23
vulnerability VCID-z4dm-tpj4-5ya4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.2.39
1
url pkg:composer/statamic/cms@3.3.2
purl pkg:composer/statamic/cms@3.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-2pmt-5bu3-6qfd
2
vulnerability VCID-5q2z-t8ka-nfff
3
vulnerability VCID-69px-5kah-8bbx
4
vulnerability VCID-6pwu-1kkq-dkar
5
vulnerability VCID-7329-yjw5-nqgx
6
vulnerability VCID-7fsn-ddsh-zbac
7
vulnerability VCID-7jn5-qd6y-vbg9
8
vulnerability VCID-88c2-bant-c3f7
9
vulnerability VCID-a56w-4c8c-jqd7
10
vulnerability VCID-dcz8-ptts-fudz
11
vulnerability VCID-f9mc-yupq-nkdm
12
vulnerability VCID-gxvz-s2qn-uqbe
13
vulnerability VCID-kjqn-zv4f-zyak
14
vulnerability VCID-md5z-7r9y-u7bg
15
vulnerability VCID-n1wb-964r-zubv
16
vulnerability VCID-nax6-fhk7-rudm
17
vulnerability VCID-pf25-j1qp-nygr
18
vulnerability VCID-saqn-jmc9-mudb
19
vulnerability VCID-tff1-wegz-pbc9
20
vulnerability VCID-wjgz-btnr-67cv
21
vulnerability VCID-xyrx-z921-8qdg
22
vulnerability VCID-yure-1mrw-jfeu
23
vulnerability VCID-z4dm-tpj4-5ya4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.3.2
aliases CVE-2022-24784, GHSA-qcgx-7p5f-hxvr
risk_score 1.6
exploitability 0.5
weighted_severity 3.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-enub-vz6v-sqck
12
url VCID-f9mc-yupq-nkdm
vulnerability_id VCID-f9mc-yupq-nkdm
summary 
Statamic vulnerable to privilege escalation via stored cross-site scripting
Stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28426
reference_id
reference_type
scores
0
value 0.00013
scoring_system epss
scoring_elements 0.02143
published_at 2026-06-08T12:55:00Z
1
value 0.00013
scoring_system epss
scoring_elements 0.02175
published_at 2026-06-06T12:55:00Z
2
value 0.00013
scoring_system epss
scoring_elements 0.02168
published_at 2026-06-05T12:55:00Z
3
value 0.00013
scoring_system epss
scoring_elements 0.02132
published_at 2026-06-09T12:55:00Z
4
value 0.00013
scoring_system epss
scoring_elements 0.02156
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28426
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/releases/tag/v5.73.11
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/
url https://github.com/statamic/cms/releases/tag/v5.73.11
3
reference_url https://github.com/statamic/cms/releases/tag/v6.4.0
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/
url https://github.com/statamic/cms/releases/tag/v6.4.0
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28426
reference_id CVE-2026-28426
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28426
5
reference_url https://github.com/advisories/GHSA-5vrj-wf7v-5wr7
reference_id GHSA-5vrj-wf7v-5wr7
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5vrj-wf7v-5wr7
6
reference_url https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7
reference_id GHSA-5vrj-wf7v-5wr7
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/
url https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7
fixed_packages
0
url pkg:composer/statamic/cms@5.73.11
purl pkg:composer/statamic/cms@5.73.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-69px-5kah-8bbx
2
vulnerability VCID-7fsn-ddsh-zbac
3
vulnerability VCID-88c2-bant-c3f7
4
vulnerability VCID-dcz8-ptts-fudz
5
vulnerability VCID-kjqn-zv4f-zyak
6
vulnerability VCID-n1wb-964r-zubv
7
vulnerability VCID-pf25-j1qp-nygr
8
vulnerability VCID-saqn-jmc9-mudb
9
vulnerability VCID-tff1-wegz-pbc9
10
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11
1
url pkg:composer/statamic/cms@6.4.0
purl pkg:composer/statamic/cms@6.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-69px-5kah-8bbx
2
vulnerability VCID-7fsn-ddsh-zbac
3
vulnerability VCID-88c2-bant-c3f7
4
vulnerability VCID-dcz8-ptts-fudz
5
vulnerability VCID-kjqn-zv4f-zyak
6
vulnerability VCID-n1wb-964r-zubv
7
vulnerability VCID-pf25-j1qp-nygr
8
vulnerability VCID-saqn-jmc9-mudb
9
vulnerability VCID-tff1-wegz-pbc9
10
vulnerability VCID-unnd-b7ra-jyf9
11
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0
aliases CVE-2026-28426, GHSA-5vrj-wf7v-5wr7
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f9mc-yupq-nkdm
13
url VCID-gxvz-s2qn-uqbe
vulnerability_id VCID-gxvz-s2qn-uqbe
summary 
Statamic's missing authorization allows access to email addresses
User email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the “view users” permission.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28424
reference_id
reference_type
scores
0
value 0.00042
scoring_system epss
scoring_elements 0.13082
published_at 2026-06-08T12:55:00Z
1
value 0.00042
scoring_system epss
scoring_elements 0.13196
published_at 2026-06-06T12:55:00Z
2
value 0.00042
scoring_system epss
scoring_elements 0.13193
published_at 2026-06-05T12:55:00Z
3
value 0.00042
scoring_system epss
scoring_elements 0.13113
published_at 2026-06-09T12:55:00Z
4
value 0.00042
scoring_system epss
scoring_elements 0.13156
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28424
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/releases/tag/v5.73.11
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/
url https://github.com/statamic/cms/releases/tag/v5.73.11
3
reference_url https://github.com/statamic/cms/releases/tag/v6.4.0
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/
url https://github.com/statamic/cms/releases/tag/v6.4.0
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28424
reference_id CVE-2026-28424
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28424
5
reference_url https://github.com/advisories/GHSA-w878-f8c6-7r63
reference_id GHSA-w878-f8c6-7r63
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w878-f8c6-7r63
6
reference_url https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63
reference_id GHSA-w878-f8c6-7r63
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/
url https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63
fixed_packages
0
url pkg:composer/statamic/cms@5.73.11
purl pkg:composer/statamic/cms@5.73.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-69px-5kah-8bbx
2
vulnerability VCID-7fsn-ddsh-zbac
3
vulnerability VCID-88c2-bant-c3f7
4
vulnerability VCID-dcz8-ptts-fudz
5
vulnerability VCID-kjqn-zv4f-zyak
6
vulnerability VCID-n1wb-964r-zubv
7
vulnerability VCID-pf25-j1qp-nygr
8
vulnerability VCID-saqn-jmc9-mudb
9
vulnerability VCID-tff1-wegz-pbc9
10
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11
1
url pkg:composer/statamic/cms@6.4.0
purl pkg:composer/statamic/cms@6.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-69px-5kah-8bbx
2
vulnerability VCID-7fsn-ddsh-zbac
3
vulnerability VCID-88c2-bant-c3f7
4
vulnerability VCID-dcz8-ptts-fudz
5
vulnerability VCID-kjqn-zv4f-zyak
6
vulnerability VCID-n1wb-964r-zubv
7
vulnerability VCID-pf25-j1qp-nygr
8
vulnerability VCID-saqn-jmc9-mudb
9
vulnerability VCID-tff1-wegz-pbc9
10
vulnerability VCID-unnd-b7ra-jyf9
11
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0
aliases CVE-2026-28424, GHSA-w878-f8c6-7r63
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gxvz-s2qn-uqbe
14
url VCID-kjqn-zv4f-zyak
vulnerability_id VCID-kjqn-zv4f-zyak
summary 
Statamic's Markdown preview endpoint exposes sensitive user data
### Impact
The markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes.

### Patches
This has been fixed in 5.73.16 and 6.7.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33882
reference_id
reference_type
scores
0
value 0.00106
scoring_system epss
scoring_elements 0.28096
published_at 2026-06-09T12:55:00Z
1
value 0.00106
scoring_system epss
scoring_elements 0.28226
published_at 2026-06-05T12:55:00Z
2
value 0.00106
scoring_system epss
scoring_elements 0.28176
published_at 2026-06-06T12:55:00Z
3
value 0.00106
scoring_system epss
scoring_elements 0.28136
published_at 2026-06-07T12:55:00Z
4
value 0.00106
scoring_system epss
scoring_elements 0.28093
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33882
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:42Z/
url https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33882
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33882
4
reference_url https://github.com/advisories/GHSA-cvh3-23vq-w7h4
reference_id GHSA-cvh3-23vq-w7h4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cvh3-23vq-w7h4
fixed_packages
0
url pkg:composer/statamic/cms@5.73.16
purl pkg:composer/statamic/cms@5.73.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-n1wb-964r-zubv
1
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16
1
url pkg:composer/statamic/cms@6.7.2
purl pkg:composer/statamic/cms@6.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-n1wb-964r-zubv
1
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2
aliases CVE-2026-33882, GHSA-cvh3-23vq-w7h4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kjqn-zv4f-zyak
15
url VCID-md5z-7r9y-u7bg
vulnerability_id VCID-md5z-7r9y-u7bg
summary 
Statamic affected by privilege escalation via stored cross-site scripting
Stored XSS vulnerability in `html` fieldtypes allow authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27196
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02659
published_at 2026-06-07T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02608
published_at 2026-06-09T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02641
published_at 2026-06-08T12:55:00Z
3
value 0.00014
scoring_system epss
scoring_elements 0.02712
published_at 2026-06-06T12:55:00Z
4
value 0.00014
scoring_system epss
scoring_elements 0.02707
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27196
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/
url https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b
3
reference_url https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/
url https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27196
reference_id CVE-2026-27196
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27196
5
reference_url https://github.com/advisories/GHSA-8r7r-f4gm-wcpq
reference_id GHSA-8r7r-f4gm-wcpq
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8r7r-f4gm-wcpq
6
reference_url https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq
reference_id GHSA-8r7r-f4gm-wcpq
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/
url https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq
fixed_packages
0
url pkg:composer/statamic/cms@5.73.9
purl pkg:composer/statamic/cms@5.73.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-5q2z-t8ka-nfff
2
vulnerability VCID-69px-5kah-8bbx
3
vulnerability VCID-7fsn-ddsh-zbac
4
vulnerability VCID-88c2-bant-c3f7
5
vulnerability VCID-dcz8-ptts-fudz
6
vulnerability VCID-f9mc-yupq-nkdm
7
vulnerability VCID-gxvz-s2qn-uqbe
8
vulnerability VCID-kjqn-zv4f-zyak
9
vulnerability VCID-n1wb-964r-zubv
10
vulnerability VCID-pf25-j1qp-nygr
11
vulnerability VCID-saqn-jmc9-mudb
12
vulnerability VCID-tff1-wegz-pbc9
13
vulnerability VCID-wjgz-btnr-67cv
14
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.9
1
url pkg:composer/statamic/cms@6.3.2
purl pkg:composer/statamic/cms@6.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-5q2z-t8ka-nfff
2
vulnerability VCID-69px-5kah-8bbx
3
vulnerability VCID-7fsn-ddsh-zbac
4
vulnerability VCID-88c2-bant-c3f7
5
vulnerability VCID-9yv7-85t6-mkcj
6
vulnerability VCID-dcz8-ptts-fudz
7
vulnerability VCID-f9mc-yupq-nkdm
8
vulnerability VCID-gxvz-s2qn-uqbe
9
vulnerability VCID-kjqn-zv4f-zyak
10
vulnerability VCID-n1wb-964r-zubv
11
vulnerability VCID-pf25-j1qp-nygr
12
vulnerability VCID-saqn-jmc9-mudb
13
vulnerability VCID-tff1-wegz-pbc9
14
vulnerability VCID-unnd-b7ra-jyf9
15
vulnerability VCID-wjgz-btnr-67cv
16
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.3.2
aliases CVE-2026-27196, GHSA-8r7r-f4gm-wcpq
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-md5z-7r9y-u7bg
16
url VCID-n1wb-964r-zubv
vulnerability_id VCID-n1wb-964r-zubv
summary 
Statamic: Unsafe method invocation via query value resolution allows data destruction
### Impact

Manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts.

The Control Panel requires authentication with minimal permissions in order to exploit. e.g. "view entries" permission to delete entries, or "view users" permission to delete users, etc.

The REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too.

Sites that enable the REST or GraphQL API without authentication should treat patching as critical priority.

### Patches

This has been fixed in 5.73.20 and 6.13.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41175
reference_id
reference_type
scores
0
value 0.00105
scoring_system epss
scoring_elements 0.28061
published_at 2026-06-09T12:55:00Z
1
value 0.00105
scoring_system epss
scoring_elements 0.2819
published_at 2026-06-05T12:55:00Z
2
value 0.00105
scoring_system epss
scoring_elements 0.28141
published_at 2026-06-06T12:55:00Z
3
value 0.00105
scoring_system epss
scoring_elements 0.28101
published_at 2026-06-07T12:55:00Z
4
value 0.00105
scoring_system epss
scoring_elements 0.28057
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41175
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T13:56:00Z/
url https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41175
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41175
4
reference_url https://github.com/advisories/GHSA-4jjr-vmv7-wh4w
reference_id GHSA-4jjr-vmv7-wh4w
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4jjr-vmv7-wh4w
fixed_packages
0
url pkg:composer/statamic/cms@5.73.20
purl pkg:composer/statamic/cms@5.73.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.20
1
url pkg:composer/statamic/cms@6.13.0
purl pkg:composer/statamic/cms@6.13.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.13.0
aliases CVE-2026-41175, GHSA-4jjr-vmv7-wh4w
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n1wb-964r-zubv
17
url VCID-nax6-fhk7-rudm
vulnerability_id VCID-nax6-fhk7-rudm
summary 
Statamic CMS's missing authorization allows access to assets
Users without permission to view assets are able are able to download them and view their metadata.

Logged-out users and users without permission to access the control panel are unable to take advantage of this.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25633
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02484
published_at 2026-06-07T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02428
published_at 2026-06-09T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02467
published_at 2026-06-08T12:55:00Z
3
value 0.00014
scoring_system epss
scoring_elements 0.0254
published_at 2026-06-06T12:55:00Z
4
value 0.00014
scoring_system epss
scoring_elements 0.02539
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25633
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/
url https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a
3
reference_url https://github.com/statamic/cms/pull/13883
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/pull/13883
4
reference_url https://github.com/statamic/cms/releases/tag/v5.73.6
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/
url https://github.com/statamic/cms/releases/tag/v5.73.6
5
reference_url https://github.com/statamic/cms/releases/tag/v6.2.5
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/
url https://github.com/statamic/cms/releases/tag/v6.2.5
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25633
reference_id CVE-2026-25633
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25633
7
reference_url https://github.com/advisories/GHSA-gwmx-9gcj-332h
reference_id GHSA-gwmx-9gcj-332h
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gwmx-9gcj-332h
8
reference_url https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h
reference_id GHSA-gwmx-9gcj-332h
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/
url https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h
fixed_packages
0
url pkg:composer/statamic/cms@5.73.6
purl pkg:composer/statamic/cms@5.73.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-5q2z-t8ka-nfff
2
vulnerability VCID-69px-5kah-8bbx
3
vulnerability VCID-7fsn-ddsh-zbac
4
vulnerability VCID-88c2-bant-c3f7
5
vulnerability VCID-dcz8-ptts-fudz
6
vulnerability VCID-f9mc-yupq-nkdm
7
vulnerability VCID-gxvz-s2qn-uqbe
8
vulnerability VCID-kjqn-zv4f-zyak
9
vulnerability VCID-md5z-7r9y-u7bg
10
vulnerability VCID-n1wb-964r-zubv
11
vulnerability VCID-pf25-j1qp-nygr
12
vulnerability VCID-saqn-jmc9-mudb
13
vulnerability VCID-tff1-wegz-pbc9
14
vulnerability VCID-wjgz-btnr-67cv
15
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.6
1
url pkg:composer/statamic/cms@6.2.5
purl pkg:composer/statamic/cms@6.2.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-5q2z-t8ka-nfff
2
vulnerability VCID-69px-5kah-8bbx
3
vulnerability VCID-7fsn-ddsh-zbac
4
vulnerability VCID-88c2-bant-c3f7
5
vulnerability VCID-9yv7-85t6-mkcj
6
vulnerability VCID-dcz8-ptts-fudz
7
vulnerability VCID-f9mc-yupq-nkdm
8
vulnerability VCID-gxvz-s2qn-uqbe
9
vulnerability VCID-kjqn-zv4f-zyak
10
vulnerability VCID-md5z-7r9y-u7bg
11
vulnerability VCID-n1wb-964r-zubv
12
vulnerability VCID-pf25-j1qp-nygr
13
vulnerability VCID-saqn-jmc9-mudb
14
vulnerability VCID-tff1-wegz-pbc9
15
vulnerability VCID-unnd-b7ra-jyf9
16
vulnerability VCID-wjgz-btnr-67cv
17
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.2.5
aliases CVE-2026-25633, GHSA-gwmx-9gcj-332h
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nax6-fhk7-rudm
18
url VCID-pf25-j1qp-nygr
vulnerability_id VCID-pf25-j1qp-nygr
summary 
Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs
An authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability.

Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28425
reference_id
reference_type
scores
0
value 0.00188
scoring_system epss
scoring_elements 0.40504
published_at 2026-06-07T12:55:00Z
1
value 0.00188
scoring_system epss
scoring_elements 0.40489
published_at 2026-06-09T12:55:00Z
2
value 0.00188
scoring_system epss
scoring_elements 0.40475
published_at 2026-06-08T12:55:00Z
3
value 0.00188
scoring_system epss
scoring_elements 0.40531
published_at 2026-06-06T12:55:00Z
4
value 0.00188
scoring_system epss
scoring_elements 0.40529
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28425
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/releases/tag/v5.73.16
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/releases/tag/v5.73.16
3
reference_url https://github.com/statamic/cms/releases/tag/v6.7.2
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/releases/tag/v6.7.2
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28425
reference_id CVE-2026-28425
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28425
5
reference_url https://github.com/advisories/GHSA-cpv7-q2wx-m8rw
reference_id GHSA-cpv7-q2wx-m8rw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cpv7-q2wx-m8rw
6
reference_url https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw
reference_id GHSA-cpv7-q2wx-m8rw
reference_type
scores
0
value 8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:36:43Z/
url https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw
fixed_packages
0
url pkg:composer/statamic/cms@5.73.16
purl pkg:composer/statamic/cms@5.73.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-n1wb-964r-zubv
1
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16
1
url pkg:composer/statamic/cms@6.7.2
purl pkg:composer/statamic/cms@6.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-n1wb-964r-zubv
1
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2
aliases CVE-2026-28425, GHSA-cpv7-q2wx-m8rw
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pf25-j1qp-nygr
19
url VCID-saqn-jmc9-mudb
vulnerability_id VCID-saqn-jmc9-mudb
summary 
Statamic's live preview token bypasses content protection for unrelated entries
### Impact
An authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for.

### Patches
This has been fixed in 5.73.16 and 6.7.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33884
reference_id
reference_type
scores
0
value 0.0004
scoring_system epss
scoring_elements 0.12212
published_at 2026-06-09T12:55:00Z
1
value 0.0004
scoring_system epss
scoring_elements 0.12317
published_at 2026-06-05T12:55:00Z
2
value 0.0004
scoring_system epss
scoring_elements 0.12316
published_at 2026-06-06T12:55:00Z
3
value 0.0004
scoring_system epss
scoring_elements 0.12281
published_at 2026-06-07T12:55:00Z
4
value 0.0004
scoring_system epss
scoring_elements 0.12199
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33884
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:37:18Z/
url https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33884
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33884
4
reference_url https://github.com/advisories/GHSA-8vwx-ccf6-5wg2
reference_id GHSA-8vwx-ccf6-5wg2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8vwx-ccf6-5wg2
fixed_packages
0
url pkg:composer/statamic/cms@5.73.16
purl pkg:composer/statamic/cms@5.73.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-n1wb-964r-zubv
1
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16
1
url pkg:composer/statamic/cms@6.7.2
purl pkg:composer/statamic/cms@6.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-n1wb-964r-zubv
1
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2
aliases CVE-2026-33884, GHSA-8vwx-ccf6-5wg2
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-saqn-jmc9-mudb
20
url VCID-tff1-wegz-pbc9
vulnerability_id VCID-tff1-wegz-pbc9
summary 
Statamic has a path traversal in file dictionary fieldtype
### Impact

Authenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration parameter in the fieldtype's endpoint.

### Patches

This has been fixed in 5.73.14 and 6.7.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33171
reference_id
reference_type
scores
0
value 0.00022
scoring_system epss
scoring_elements 0.06413
published_at 2026-06-09T12:55:00Z
1
value 0.00022
scoring_system epss
scoring_elements 0.06469
published_at 2026-06-05T12:55:00Z
2
value 0.00022
scoring_system epss
scoring_elements 0.06461
published_at 2026-06-06T12:55:00Z
3
value 0.00022
scoring_system epss
scoring_elements 0.06451
published_at 2026-06-07T12:55:00Z
4
value 0.00022
scoring_system epss
scoring_elements 0.06405
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33171
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T20:52:53Z/
url https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33171
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33171
4
reference_url https://github.com/advisories/GHSA-qm7r-wwq7-6f85
reference_id GHSA-qm7r-wwq7-6f85
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qm7r-wwq7-6f85
fixed_packages
0
url pkg:composer/statamic/cms@5.73.14
purl pkg:composer/statamic/cms@5.73.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-69px-5kah-8bbx
1
vulnerability VCID-7fsn-ddsh-zbac
2
vulnerability VCID-dcz8-ptts-fudz
3
vulnerability VCID-kjqn-zv4f-zyak
4
vulnerability VCID-n1wb-964r-zubv
5
vulnerability VCID-saqn-jmc9-mudb
6
vulnerability VCID-vhz9-vavp-hyb6
7
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14
1
url pkg:composer/statamic/cms@6.7.0
purl pkg:composer/statamic/cms@6.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-69px-5kah-8bbx
1
vulnerability VCID-7fsn-ddsh-zbac
2
vulnerability VCID-dcz8-ptts-fudz
3
vulnerability VCID-kjqn-zv4f-zyak
4
vulnerability VCID-n1wb-964r-zubv
5
vulnerability VCID-saqn-jmc9-mudb
6
vulnerability VCID-vhz9-vavp-hyb6
7
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0
aliases CVE-2026-33171, GHSA-qm7r-wwq7-6f85
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tff1-wegz-pbc9
21
url VCID-wjgz-btnr-67cv
vulnerability_id VCID-wjgz-btnr-67cv
summary 
Statamic is vulnerable to account takeover via password reset link injection
An attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf.

The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27593
reference_id
reference_type
scores
0
value 0.00017
scoring_system epss
scoring_elements 0.04344
published_at 2026-06-06T12:55:00Z
1
value 0.00017
scoring_system epss
scoring_elements 0.04326
published_at 2026-06-09T12:55:00Z
2
value 0.00017
scoring_system epss
scoring_elements 0.04306
published_at 2026-06-08T12:55:00Z
3
value 0.00017
scoring_system epss
scoring_elements 0.04334
published_at 2026-06-07T12:55:00Z
4
value 0.00017
scoring_system epss
scoring_elements 0.04356
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27593
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/
url https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e
3
reference_url https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/
url https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be
4
reference_url https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/
url https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0
5
reference_url https://github.com/statamic/cms/releases/tag/v5.73.10
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/
url https://github.com/statamic/cms/releases/tag/v5.73.10
6
reference_url https://github.com/statamic/cms/releases/tag/v6.3.3
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/
url https://github.com/statamic/cms/releases/tag/v6.3.3
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27593
reference_id CVE-2026-27593
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27593
8
reference_url https://github.com/advisories/GHSA-jxq9-79vj-rgvw
reference_id GHSA-jxq9-79vj-rgvw
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jxq9-79vj-rgvw
9
reference_url https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw
reference_id GHSA-jxq9-79vj-rgvw
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/
url https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw
fixed_packages
0
url pkg:composer/statamic/cms@5.73.10
purl pkg:composer/statamic/cms@5.73.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-5q2z-t8ka-nfff
2
vulnerability VCID-69px-5kah-8bbx
3
vulnerability VCID-7fsn-ddsh-zbac
4
vulnerability VCID-88c2-bant-c3f7
5
vulnerability VCID-dcz8-ptts-fudz
6
vulnerability VCID-f9mc-yupq-nkdm
7
vulnerability VCID-gxvz-s2qn-uqbe
8
vulnerability VCID-kjqn-zv4f-zyak
9
vulnerability VCID-n1wb-964r-zubv
10
vulnerability VCID-pf25-j1qp-nygr
11
vulnerability VCID-saqn-jmc9-mudb
12
vulnerability VCID-tff1-wegz-pbc9
13
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.10
1
url pkg:composer/statamic/cms@6.7.1
purl pkg:composer/statamic/cms@6.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-69px-5kah-8bbx
1
vulnerability VCID-7fsn-ddsh-zbac
2
vulnerability VCID-dcz8-ptts-fudz
3
vulnerability VCID-kjqn-zv4f-zyak
4
vulnerability VCID-n1wb-964r-zubv
5
vulnerability VCID-saqn-jmc9-mudb
6
vulnerability VCID-vhz9-vavp-hyb6
7
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.1
aliases CVE-2026-27593, GHSA-jxq9-79vj-rgvw
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wjgz-btnr-67cv
22
url VCID-xyrx-z921-8qdg
vulnerability_id VCID-xyrx-z921-8qdg
summary 
Statamic CMS vulnerable to email enumeration via forgot password endpoint
### Impact

Responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks.

### Patches

This has been fixed in 5.73.21 and 6.15.0. The forgot password forms now return the same generic response regardless of whether the submitted email matches a registered user.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44306
reference_id
reference_type
scores
0
value 0.00037
scoring_system epss
scoring_elements 0.11469
published_at 2026-06-09T12:55:00Z
1
value 0.00037
scoring_system epss
scoring_elements 0.11575
published_at 2026-06-05T12:55:00Z
2
value 0.00037
scoring_system epss
scoring_elements 0.11571
published_at 2026-06-06T12:55:00Z
3
value 0.00037
scoring_system epss
scoring_elements 0.11537
published_at 2026-06-07T12:55:00Z
4
value 0.00037
scoring_system epss
scoring_elements 0.11456
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44306
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/security/advisories/GHSA-m24v-f7g5-gq67
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T18:15:50Z/
url https://github.com/statamic/cms/security/advisories/GHSA-m24v-f7g5-gq67
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44306
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-44306
4
reference_url https://github.com/advisories/GHSA-m24v-f7g5-gq67
reference_id GHSA-m24v-f7g5-gq67
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m24v-f7g5-gq67
fixed_packages
0
url pkg:composer/statamic/cms@5.73.21
purl pkg:composer/statamic/cms@5.73.21
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.21
1
url pkg:composer/statamic/cms@6.15.0
purl pkg:composer/statamic/cms@6.15.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.15.0
aliases CVE-2026-44306, GHSA-m24v-f7g5-gq67
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xyrx-z921-8qdg
23
url VCID-yure-1mrw-jfeu
vulnerability_id VCID-yure-1mrw-jfeu
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the `sanitize` function. Version 4.10.0 contains a patch for this issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-36828
reference_id
reference_type
scores
0
value 0.00299
scoring_system epss
scoring_elements 0.53538
published_at 2026-06-08T12:55:00Z
1
value 0.00299
scoring_system epss
scoring_elements 0.53563
published_at 2026-06-09T12:55:00Z
2
value 0.00299
scoring_system epss
scoring_elements 0.53575
published_at 2026-06-06T12:55:00Z
3
value 0.00299
scoring_system epss
scoring_elements 0.53567
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-36828
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/
url https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15
3
reference_url https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php#L36-L40
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/
url https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php#L36-L40
4
reference_url https://github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/
url https://github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d
5
reference_url https://github.com/statamic/cms/pull/8408
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/
url https://github.com/statamic/cms/pull/8408
6
reference_url https://github.com/statamic/cms/releases/tag/v4.10.0
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/
url https://github.com/statamic/cms/releases/tag/v4.10.0
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-36828
reference_id CVE-2023-36828
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-36828
8
reference_url https://github.com/advisories/GHSA-6r5g-cq4q-327g
reference_id GHSA-6r5g-cq4q-327g
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6r5g-cq4q-327g
9
reference_url https://github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g
reference_id GHSA-6r5g-cq4q-327g
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/
url https://github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g
fixed_packages
0
url pkg:composer/statamic/cms@4.10.0
purl pkg:composer/statamic/cms@4.10.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-2pmt-5bu3-6qfd
2
vulnerability VCID-5q2z-t8ka-nfff
3
vulnerability VCID-69px-5kah-8bbx
4
vulnerability VCID-6pwu-1kkq-dkar
5
vulnerability VCID-7329-yjw5-nqgx
6
vulnerability VCID-7fsn-ddsh-zbac
7
vulnerability VCID-7jn5-qd6y-vbg9
8
vulnerability VCID-88c2-bant-c3f7
9
vulnerability VCID-a56w-4c8c-jqd7
10
vulnerability VCID-dcz8-ptts-fudz
11
vulnerability VCID-f9mc-yupq-nkdm
12
vulnerability VCID-gxvz-s2qn-uqbe
13
vulnerability VCID-kjqn-zv4f-zyak
14
vulnerability VCID-md5z-7r9y-u7bg
15
vulnerability VCID-n1wb-964r-zubv
16
vulnerability VCID-nax6-fhk7-rudm
17
vulnerability VCID-pf25-j1qp-nygr
18
vulnerability VCID-saqn-jmc9-mudb
19
vulnerability VCID-tff1-wegz-pbc9
20
vulnerability VCID-wjgz-btnr-67cv
21
vulnerability VCID-xyrx-z921-8qdg
22
vulnerability VCID-z4dm-tpj4-5ya4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.10.0
aliases CVE-2023-36828, GHSA-6r5g-cq4q-327g
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yure-1mrw-jfeu
24
url VCID-z4dm-tpj4-5ya4
vulnerability_id VCID-z4dm-tpj4-5ya4
summary 
Cross-site Scripting via uploaded assets
Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an assets field, or within the control panel which requires authentication. This issue has been patched on 3.4.15 and 4.36.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-48701
reference_id
reference_type
scores
0
value 0.00953
scoring_system epss
scoring_elements 0.7679
published_at 2026-06-07T12:55:00Z
1
value 0.00953
scoring_system epss
scoring_elements 0.76802
published_at 2026-06-09T12:55:00Z
2
value 0.00953
scoring_system epss
scoring_elements 0.7678
published_at 2026-06-08T12:55:00Z
3
value 0.00953
scoring_system epss
scoring_elements 0.76794
published_at 2026-06-05T12:55:00Z
4
value 0.00953
scoring_system epss
scoring_elements 0.768
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-48701
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/releases/tag/v3.4.15
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/releases/tag/v3.4.15
3
reference_url https://github.com/statamic/cms/releases/tag/v4.36.0
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/releases/tag/v4.36.0
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-48701
reference_id CVE-2023-48701
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-48701
5
reference_url https://github.com/advisories/GHSA-8jjh-j3c2-cjcv
reference_id GHSA-8jjh-j3c2-cjcv
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8jjh-j3c2-cjcv
6
reference_url https://github.com/statamic/cms/security/advisories/GHSA-8jjh-j3c2-cjcv
reference_id GHSA-8jjh-j3c2-cjcv
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/security/advisories/GHSA-8jjh-j3c2-cjcv
fixed_packages
0
url pkg:composer/statamic/cms@3.4.15
purl pkg:composer/statamic/cms@3.4.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-2pmt-5bu3-6qfd
2
vulnerability VCID-5q2z-t8ka-nfff
3
vulnerability VCID-69px-5kah-8bbx
4
vulnerability VCID-6pwu-1kkq-dkar
5
vulnerability VCID-7fsn-ddsh-zbac
6
vulnerability VCID-7jn5-qd6y-vbg9
7
vulnerability VCID-88c2-bant-c3f7
8
vulnerability VCID-dcz8-ptts-fudz
9
vulnerability VCID-f9mc-yupq-nkdm
10
vulnerability VCID-gxvz-s2qn-uqbe
11
vulnerability VCID-kjqn-zv4f-zyak
12
vulnerability VCID-md5z-7r9y-u7bg
13
vulnerability VCID-n1wb-964r-zubv
14
vulnerability VCID-nax6-fhk7-rudm
15
vulnerability VCID-pf25-j1qp-nygr
16
vulnerability VCID-saqn-jmc9-mudb
17
vulnerability VCID-tff1-wegz-pbc9
18
vulnerability VCID-wjgz-btnr-67cv
19
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.15
1
url pkg:composer/statamic/cms@4.36.0
purl pkg:composer/statamic/cms@4.36.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2jq7-5yxn-hubp
1
vulnerability VCID-2pmt-5bu3-6qfd
2
vulnerability VCID-5q2z-t8ka-nfff
3
vulnerability VCID-69px-5kah-8bbx
4
vulnerability VCID-6pwu-1kkq-dkar
5
vulnerability VCID-7fsn-ddsh-zbac
6
vulnerability VCID-7jn5-qd6y-vbg9
7
vulnerability VCID-88c2-bant-c3f7
8
vulnerability VCID-dcz8-ptts-fudz
9
vulnerability VCID-f9mc-yupq-nkdm
10
vulnerability VCID-gxvz-s2qn-uqbe
11
vulnerability VCID-kjqn-zv4f-zyak
12
vulnerability VCID-md5z-7r9y-u7bg
13
vulnerability VCID-n1wb-964r-zubv
14
vulnerability VCID-nax6-fhk7-rudm
15
vulnerability VCID-pf25-j1qp-nygr
16
vulnerability VCID-saqn-jmc9-mudb
17
vulnerability VCID-tff1-wegz-pbc9
18
vulnerability VCID-wjgz-btnr-67cv
19
vulnerability VCID-xyrx-z921-8qdg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.36.0
aliases CVE-2023-48701, GHSA-8jjh-j3c2-cjcv
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z4dm-tpj4-5ya4
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.0.0-beta.35