{"url":"http://public2.vulnerablecode.io/api/packages/564971?format=json","purl":"pkg:composer/statamic/cms@3.0.36","type":"composer","namespace":"statamic","name":"cms","version":"3.0.36","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.73.21","latest_non_vulnerable_version":"6.18.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90903?format=json","vulnerability_id":"VCID-2jq7-5yxn-hubp","summary":"Statamic has Stored XSS via SVG Sanitization Bypass\n### Impact\n\nStored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed.\n\n### Patches\n\nThis has been fixed in 5.73.14 and 6.7.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33172","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02499","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02606","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02608","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02553","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02538","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33172"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:46:09Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33172","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33172"},{"reference_url":"https://github.com/advisories/GHSA-7rcv-55mj-chg7","reference_id":"GHSA-7rcv-55mj-chg7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7rcv-55mj-chg7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112829?format=json","purl":"pkg:composer/statamic/cms@5.73.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-vhz9-vavp-hyb6"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14"},{"url":"http://public2.vulnerablecode.io/api/packages/112828?format=json","purl":"pkg:composer/statamic/cms@6.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-vhz9-vavp-hyb6"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0"}],"aliases":["CVE-2026-33172","GHSA-7rcv-55mj-chg7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2jq7-5yxn-hubp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48310?format=json","vulnerability_id":"VCID-2pmt-5bu3-6qfd","summary":"Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation\nStored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.\n\nThis affects:\n\n- Control panel users with permission to create or edit Collections and Taxonomies\n- Versions up to and including 5.22.0\n\nThe vulnerability can be exploited to:\n\n- Change a super admin's password (versions ≤ 5.21.0)\n- Change a super admin's email address to initiate password reset (version 5.22.0)\n- Gain unauthorized access to superadmin accounts\n\nThe attack requires:\n\n- An authenticated user with control panel and content creation permissions\n- A super admin to view the compromised content","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64112","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.10891","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11006","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11014","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.10908","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.10972","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64112"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1","reference_id":"","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-30T17:57:49Z/"}],"url":"https://github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.22.1","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/releases/tag/v5.22.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64112","reference_id":"CVE-2025-64112","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64112"},{"reference_url":"https://github.com/advisories/GHSA-g59r-24g3-h7cm","reference_id":"GHSA-g59r-24g3-h7cm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g59r-24g3-h7cm"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-g59r-24g3-h7cm","reference_id":"GHSA-g59r-24g3-h7cm","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-30T17:57:49Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-g59r-24g3-h7cm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71300?format=json","purl":"pkg:composer/statamic/cms@5.22.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-5q2z-t8ka-nfff"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-f9mc-yupq-nkdm"},{"vulnerability":"VCID-gxvz-s2qn-uqbe"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-md5z-7r9y-u7bg"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-nax6-fhk7-rudm"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-wjgz-btnr-67cv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.22.1"}],"aliases":["CVE-2025-64112","GHSA-g59r-24g3-h7cm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2pmt-5bu3-6qfd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50459?format=json","vulnerability_id":"VCID-5q2z-t8ka-nfff","summary":"Statamic Vulnerable to Server-Side Request Forgery via Glide\nWhen Glide image manipulation is used in insecure mode (which is *not* the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28423","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07352","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07321","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07308","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07375","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07368","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28423"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.11","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.11"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.4.0","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v6.4.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28423","reference_id":"CVE-2026-28423","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28423"},{"reference_url":"https://github.com/advisories/GHSA-cwpp-325q-2cvp","reference_id":"GHSA-cwpp-325q-2cvp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cwpp-325q-2cvp"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp","reference_id":"GHSA-cwpp-325q-2cvp","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74366?format=json","purl":"pkg:composer/statamic/cms@5.73.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11"},{"url":"http://public2.vulnerablecode.io/api/packages/74329?format=json","purl":"pkg:composer/statamic/cms@6.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-unnd-b7ra-jyf9"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0"}],"aliases":["CVE-2026-28423","GHSA-cwpp-325q-2cvp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5q2z-t8ka-nfff"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90789?format=json","vulnerability_id":"VCID-69px-5kah-8bbx","summary":"Statamic allows unauthorized content access through missing authorization in its revision controllers\n### Impact\nAuthenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data.\n\nUsers could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content.\n\n### Patches\nThis has been fixed in 5.73.16 and 6.7.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33887","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09866","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09931","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09945","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09918","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09834","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33887"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:54:14Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33887","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33887"},{"reference_url":"https://github.com/advisories/GHSA-4hp7-3wxg-cv9q","reference_id":"GHSA-4hp7-3wxg-cv9q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4hp7-3wxg-cv9q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74368?format=json","purl":"pkg:composer/statamic/cms@5.73.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16"},{"url":"http://public2.vulnerablecode.io/api/packages/74369?format=json","purl":"pkg:composer/statamic/cms@6.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2"}],"aliases":["CVE-2026-33887","GHSA-4hp7-3wxg-cv9q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-69px-5kah-8bbx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46926?format=json","vulnerability_id":"VCID-6pwu-1kkq-dkar","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nStatamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the control panel. Additionally, if the XSS is crafted in a specific way, the \"copy password reset link\" feature may be exploited to gain access to a user's password reset token and gain access to their account. The authorized user is required to execute the XSS in order for the vulnerability to occur. In versions 4.46.0 and 3.4.17, the XSS vulnerability has been patched, and the copy password reset link functionality has been disabled.","references":[{"reference_url":"http://packetstormsecurity.com/files/177133/Statamic-CMS-Cross-Site-Scripting.html","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/"}],"url":"http://packetstormsecurity.com/files/177133/Statamic-CMS-Cross-Site-Scripting.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24570","reference_id":"","reference_type":"","scores":[{"value":"0.0144","scoring_system":"epss","scoring_elements":"0.81091","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0144","scoring_system":"epss","scoring_elements":"0.8109","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0144","scoring_system":"epss","scoring_elements":"0.81105","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0144","scoring_system":"epss","scoring_elements":"0.81087","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0144","scoring_system":"epss","scoring_elements":"0.81094","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24570"},{"reference_url":"http://seclists.org/fulldisclosure/2024/Feb/17","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/"}],"url":"http://seclists.org/fulldisclosure/2024/Feb/17"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24570","reference_id":"CVE-2024-24570","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24570"},{"reference_url":"https://github.com/advisories/GHSA-vqxq-hvxw-9mv9","reference_id":"GHSA-vqxq-hvxw-9mv9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vqxq-hvxw-9mv9"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9","reference_id":"GHSA-vqxq-hvxw-9mv9","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68671?format=json","purl":"pkg:composer/statamic/cms@3.4.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-2pmt-5bu3-6qfd"},{"vulnerability":"VCID-5q2z-t8ka-nfff"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-7jn5-qd6y-vbg9"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-f9mc-yupq-nkdm"},{"vulnerability":"VCID-gxvz-s2qn-uqbe"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-md5z-7r9y-u7bg"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-nax6-fhk7-rudm"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-wjgz-btnr-67cv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.17"},{"url":"http://public2.vulnerablecode.io/api/packages/68672?format=json","purl":"pkg:composer/statamic/cms@4.46.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-2pmt-5bu3-6qfd"},{"vulnerability":"VCID-5q2z-t8ka-nfff"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-7jn5-qd6y-vbg9"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-f9mc-yupq-nkdm"},{"vulnerability":"VCID-gxvz-s2qn-uqbe"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-md5z-7r9y-u7bg"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-nax6-fhk7-rudm"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-wjgz-btnr-67cv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.46.0"}],"aliases":["CVE-2024-24570","GHSA-vqxq-hvxw-9mv9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6pwu-1kkq-dkar"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46381?format=json","vulnerability_id":"VCID-7329-yjw5-nqgx","summary":"Statamic CMS remote code execution via front-end form uploads\nStatmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the \"Forms\" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-47129","reference_id":"","reference_type":"","scores":[{"value":"0.05963","scoring_system":"epss","scoring_elements":"0.90831","published_at":"2026-06-07T12:55:00Z"},{"value":"0.05963","scoring_system":"epss","scoring_elements":"0.90845","published_at":"2026-06-09T12:55:00Z"},{"value":"0.05963","scoring_system":"epss","scoring_elements":"0.90829","published_at":"2026-06-08T12:55:00Z"},{"value":"0.05963","scoring_system":"epss","scoring_elements":"0.90834","published_at":"2026-06-06T12:55:00Z"},{"value":"0.05963","scoring_system":"epss","scoring_elements":"0.90833","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-47129"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/"}],"url":"https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75"},{"reference_url":"https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/"}],"url":"https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-47129","reference_id":"CVE-2023-47129","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-47129"},{"reference_url":"https://github.com/advisories/GHSA-72hg-5wr5-rmfc","reference_id":"GHSA-72hg-5wr5-rmfc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-72hg-5wr5-rmfc"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc","reference_id":"GHSA-72hg-5wr5-rmfc","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67701?format=json","purl":"pkg:composer/statamic/cms@3.4.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-2pmt-5bu3-6qfd"},{"vulnerability":"VCID-5q2z-t8ka-nfff"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-6pwu-1kkq-dkar"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-7jn5-qd6y-vbg9"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-a56w-4c8c-jqd7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-f9mc-yupq-nkdm"},{"vulnerability":"VCID-gxvz-s2qn-uqbe"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-md5z-7r9y-u7bg"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-nax6-fhk7-rudm"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-wjgz-btnr-67cv"},{"vulnerability":"VCID-xyrx-z921-8qdg"},{"vulnerability":"VCID-z4dm-tpj4-5ya4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.13"},{"url":"http://public2.vulnerablecode.io/api/packages/67702?format=json","purl":"pkg:composer/statamic/cms@4.33.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-2pmt-5bu3-6qfd"},{"vulnerability":"VCID-5q2z-t8ka-nfff"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-6pwu-1kkq-dkar"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-7jn5-qd6y-vbg9"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-a56w-4c8c-jqd7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-f9mc-yupq-nkdm"},{"vulnerability":"VCID-gxvz-s2qn-uqbe"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-md5z-7r9y-u7bg"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-nax6-fhk7-rudm"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-wjgz-btnr-67cv"},{"vulnerability":"VCID-xyrx-z921-8qdg"},{"vulnerability":"VCID-z4dm-tpj4-5ya4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.33.0"}],"aliases":["CVE-2023-47129","GHSA-72hg-5wr5-rmfc"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7329-yjw5-nqgx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91845?format=json","vulnerability_id":"VCID-7fsn-ddsh-zbac","summary":"Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag\n### Impact\n\nThe `user:reset_password_form` tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser.\n\n### Patches\n\nThis has been fixed in 5.73.16 and 6.7.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33883","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12726","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12814","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12819","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.1278","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12695","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33883"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-3jg4-p23x-p4qx","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:56:43Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-3jg4-p23x-p4qx"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33883","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33883"},{"reference_url":"https://github.com/advisories/GHSA-3jg4-p23x-p4qx","reference_id":"GHSA-3jg4-p23x-p4qx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3jg4-p23x-p4qx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74368?format=json","purl":"pkg:composer/statamic/cms@5.73.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16"},{"url":"http://public2.vulnerablecode.io/api/packages/74369?format=json","purl":"pkg:composer/statamic/cms@6.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2"}],"aliases":["CVE-2026-33883","GHSA-3jg4-p23x-p4qx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7fsn-ddsh-zbac"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56236?format=json","vulnerability_id":"VCID-7jn5-qd6y-vbg9","summary":"Statamic CMS has a Path Traversal in Asset Upload\nAssets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52600","reference_id":"","reference_type":"","scores":[{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.60138","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.60156","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.60168","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.60165","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.60155","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52600"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/"}],"url":"https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d"},{"reference_url":"https://github.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346da","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/"}],"url":"https://github.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346da"},{"reference_url":"https://github.com/statamic/cms/commit/4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/"}],"url":"https://github.com/statamic/cms/commit/4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52600","reference_id":"CVE-2024-52600","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52600"},{"reference_url":"https://github.com/advisories/GHSA-p7f6-8mcm-fwv3","reference_id":"GHSA-p7f6-8mcm-fwv3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p7f6-8mcm-fwv3"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-p7f6-8mcm-fwv3","reference_id":"GHSA-p7f6-8mcm-fwv3","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-p7f6-8mcm-fwv3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83309?format=json","purl":"pkg:composer/statamic/cms@5.17.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-2pmt-5bu3-6qfd"},{"vulnerability":"VCID-5q2z-t8ka-nfff"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-f9mc-yupq-nkdm"},{"vulnerability":"VCID-gxvz-s2qn-uqbe"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-md5z-7r9y-u7bg"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-nax6-fhk7-rudm"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-wjgz-btnr-67cv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.17.0"}],"aliases":["CVE-2024-52600","GHSA-p7f6-8mcm-fwv3"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7jn5-qd6y-vbg9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91381?format=json","vulnerability_id":"VCID-88c2-bant-c3f7","summary":"Statamic is missing authorization check on taxonomy term creation via fieldtype\n### Impact\n\nLow-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint.\n\n### Patches\n\nThis has been fixed in 5.73.14 and 6.7.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33177","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0255","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02651","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02654","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.026","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02584","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33177"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:49:16Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33177","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33177"},{"reference_url":"https://github.com/advisories/GHSA-wh3h-gvc4-cc2g","reference_id":"GHSA-wh3h-gvc4-cc2g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wh3h-gvc4-cc2g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112829?format=json","purl":"pkg:composer/statamic/cms@5.73.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-vhz9-vavp-hyb6"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14"},{"url":"http://public2.vulnerablecode.io/api/packages/112828?format=json","purl":"pkg:composer/statamic/cms@6.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-vhz9-vavp-hyb6"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0"}],"aliases":["CVE-2026-33177","GHSA-wh3h-gvc4-cc2g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-88c2-bant-c3f7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46388?format=json","vulnerability_id":"VCID-a56w-4c8c-jqd7","summary":"Statamic CMS vulnerable to remote code execution via form uploads\nStatamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the \"Forms\" feature, and asset upload fields in the control panel. Malicious users could leverage this vulnerability to upload and execute code. This issue has been patched in versions 3.4.14 and 4.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48217","reference_id":"","reference_type":"","scores":[{"value":"0.01048","scoring_system":"epss","scoring_elements":"0.77872","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01048","scoring_system":"epss","scoring_elements":"0.77883","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01048","scoring_system":"epss","scoring_elements":"0.77893","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01048","scoring_system":"epss","scoring_elements":"0.7789","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01048","scoring_system":"epss","scoring_elements":"0.77887","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48217"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-30T14:01:51Z/"}],"url":"https://github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411"},{"reference_url":"https://github.com/statamic/cms/commit/da28afde818d605179fbb63b96eabafabad876b6","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/commit/da28afde818d605179fbb63b96eabafabad876b6"},{"reference_url":"https://github.com/statamic/cms/pull/8991","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/pull/8991"},{"reference_url":"https://github.com/statamic/cms/pull/8992","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/pull/8992"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v3.4.14","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/releases/tag/v3.4.14"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v4.34.0","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/releases/tag/v4.34.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48217","reference_id":"CVE-2023-48217","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48217"},{"reference_url":"https://github.com/advisories/GHSA-2r53-9295-3m86","reference_id":"GHSA-2r53-9295-3m86","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2r53-9295-3m86"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86","reference_id":"GHSA-2r53-9295-3m86","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-30T14:01:51Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67718?format=json","purl":"pkg:composer/statamic/cms@3.4.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-2pmt-5bu3-6qfd"},{"vulnerability":"VCID-5q2z-t8ka-nfff"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-6pwu-1kkq-dkar"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-7jn5-qd6y-vbg9"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-f9mc-yupq-nkdm"},{"vulnerability":"VCID-gxvz-s2qn-uqbe"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-md5z-7r9y-u7bg"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-nax6-fhk7-rudm"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-wjgz-btnr-67cv"},{"vulnerability":"VCID-xyrx-z921-8qdg"},{"vulnerability":"VCID-z4dm-tpj4-5ya4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.14"},{"url":"http://public2.vulnerablecode.io/api/packages/661738?format=json","purl":"pkg:composer/statamic/cms@4.0.0-alpha.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-2pmt-5bu3-6qfd"},{"vulnerability":"VCID-5q2z-t8ka-nfff"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-7jn5-qd6y-vbg9"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-f9mc-yupq-nkdm"},{"vulnerability":"VCID-gxvz-s2qn-uqbe"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-md5z-7r9y-u7bg"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-nax6-fhk7-rudm"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-wjgz-btnr-67cv"},{"vulnerability":"VCID-xyrx-z921-8qdg"},{"vulnerability":"VCID-yure-1mrw-jfeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.0.0-alpha.1"},{"url":"http://public2.vulnerablecode.io/api/packages/67719?format=json","purl":"pkg:composer/statamic/cms@4.34.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-2pmt-5bu3-6qfd"},{"vulnerability":"VCID-5q2z-t8ka-nfff"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-6pwu-1kkq-dkar"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-7jn5-qd6y-vbg9"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-f9mc-yupq-nkdm"},{"vulnerability":"VCID-gxvz-s2qn-uqbe"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-md5z-7r9y-u7bg"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-nax6-fhk7-rudm"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-wjgz-btnr-67cv"},{"vulnerability":"VCID-xyrx-z921-8qdg"},{"vulnerability":"VCID-z4dm-tpj4-5ya4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.34.0"}],"aliases":["CVE-2023-48217","GHSA-2r53-9295-3m86"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a56w-4c8c-jqd7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91628?format=json","vulnerability_id":"VCID-dcz8-ptts-fudz","summary":"Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential\n### Impact\nThe external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows.\n\n### Patches\nThis has been fixed in 5.73.16 and 6.7.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33885","reference_id":"","reference_type":"","scores":[{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16556","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16665","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16661","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16623","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16541","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33885"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:59:41Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33885","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33885"},{"reference_url":"https://github.com/advisories/GHSA-7f74-7q5w-hj4r","reference_id":"GHSA-7f74-7q5w-hj4r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7f74-7q5w-hj4r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74368?format=json","purl":"pkg:composer/statamic/cms@5.73.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16"},{"url":"http://public2.vulnerablecode.io/api/packages/74369?format=json","purl":"pkg:composer/statamic/cms@6.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2"}],"aliases":["CVE-2026-33885","GHSA-7f74-7q5w-hj4r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dcz8-ptts-fudz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42801?format=json","vulnerability_id":"VCID-enub-vz6v-sqck","summary":"Inadequate Encryption Strength\nStatamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire hash. The hash is not present in the response, however the presence or absence of a result confirms if the character is in the right position. The API has throttling enabled by default, making this a time intensive task. Both the REST API and the users endpoint need to be enabled, as they are disabled by default. The issue has been fixed in versions 3.2.39 and above, and 3.3.2 and above.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24784","reference_id":"","reference_type":"","scores":[{"value":"0.00268","scoring_system":"epss","scoring_elements":"0.50445","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00268","scoring_system":"epss","scoring_elements":"0.50409","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00268","scoring_system":"epss","scoring_elements":"0.5047","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00268","scoring_system":"epss","scoring_elements":"0.50477","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00268","scoring_system":"epss","scoring_elements":"0.50457","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00268","scoring_system":"epss","scoring_elements":"0.50428","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24784"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/issues/5604","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:26Z/"}],"url":"https://github.com/statamic/cms/issues/5604"},{"reference_url":"https://github.com/statamic/cms/pull/5568","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:26Z/"}],"url":"https://github.com/statamic/cms/pull/5568"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24784","reference_id":"CVE-2022-24784","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24784"},{"reference_url":"https://github.com/advisories/GHSA-qcgx-7p5f-hxvr","reference_id":"GHSA-qcgx-7p5f-hxvr","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qcgx-7p5f-hxvr"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr","reference_id":"GHSA-qcgx-7p5f-hxvr","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:26Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61142?format=json","purl":"pkg:composer/statamic/cms@3.2.39","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-2pmt-5bu3-6qfd"},{"vulnerability":"VCID-5q2z-t8ka-nfff"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-6pwu-1kkq-dkar"},{"vulnerability":"VCID-7329-yjw5-nqgx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-7jn5-qd6y-vbg9"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-a56w-4c8c-jqd7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-f9mc-yupq-nkdm"},{"vulnerability":"VCID-gxvz-s2qn-uqbe"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-md5z-7r9y-u7bg"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-nax6-fhk7-rudm"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-wjgz-btnr-67cv"},{"vulnerability":"VCID-xyrx-z921-8qdg"},{"vulnerability":"VCID-yure-1mrw-jfeu"},{"vulnerability":"VCID-z4dm-tpj4-5ya4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.2.39"},{"url":"http://public2.vulnerablecode.io/api/packages/61143?format=json","purl":"pkg:composer/statamic/cms@3.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-2pmt-5bu3-6qfd"},{"vulnerability":"VCID-5q2z-t8ka-nfff"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-6pwu-1kkq-dkar"},{"vulnerability":"VCID-7329-yjw5-nqgx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-7jn5-qd6y-vbg9"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-a56w-4c8c-jqd7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-f9mc-yupq-nkdm"},{"vulnerability":"VCID-gxvz-s2qn-uqbe"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-md5z-7r9y-u7bg"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-nax6-fhk7-rudm"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-wjgz-btnr-67cv"},{"vulnerability":"VCID-xyrx-z921-8qdg"},{"vulnerability":"VCID-yure-1mrw-jfeu"},{"vulnerability":"VCID-z4dm-tpj4-5ya4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.3.2"}],"aliases":["CVE-2022-24784","GHSA-qcgx-7p5f-hxvr"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-enub-vz6v-sqck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50464?format=json","vulnerability_id":"VCID-f9mc-yupq-nkdm","summary":"Statamic vulnerable to privilege escalation via stored cross-site scripting\nStored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28426","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02143","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02175","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02168","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02132","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02156","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28426"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.11","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.11"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.4.0","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v6.4.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28426","reference_id":"CVE-2026-28426","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28426"},{"reference_url":"https://github.com/advisories/GHSA-5vrj-wf7v-5wr7","reference_id":"GHSA-5vrj-wf7v-5wr7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5vrj-wf7v-5wr7"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7","reference_id":"GHSA-5vrj-wf7v-5wr7","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74366?format=json","purl":"pkg:composer/statamic/cms@5.73.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11"},{"url":"http://public2.vulnerablecode.io/api/packages/74329?format=json","purl":"pkg:composer/statamic/cms@6.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-unnd-b7ra-jyf9"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0"}],"aliases":["CVE-2026-28426","GHSA-5vrj-wf7v-5wr7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f9mc-yupq-nkdm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50460?format=json","vulnerability_id":"VCID-gxvz-s2qn-uqbe","summary":"Statamic's missing authorization allows access to email addresses\nUser email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the “view users” permission.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28424","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13082","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13196","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13193","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13113","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13156","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28424"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.11","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.11"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.4.0","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v6.4.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28424","reference_id":"CVE-2026-28424","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28424"},{"reference_url":"https://github.com/advisories/GHSA-w878-f8c6-7r63","reference_id":"GHSA-w878-f8c6-7r63","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w878-f8c6-7r63"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63","reference_id":"GHSA-w878-f8c6-7r63","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74366?format=json","purl":"pkg:composer/statamic/cms@5.73.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11"},{"url":"http://public2.vulnerablecode.io/api/packages/74329?format=json","purl":"pkg:composer/statamic/cms@6.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-unnd-b7ra-jyf9"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0"}],"aliases":["CVE-2026-28424","GHSA-w878-f8c6-7r63"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gxvz-s2qn-uqbe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91411?format=json","vulnerability_id":"VCID-kjqn-zv4f-zyak","summary":"Statamic's Markdown preview endpoint exposes sensitive user data\n### Impact\nThe markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes.\n\n### Patches\nThis has been fixed in 5.73.16 and 6.7.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33882","reference_id":"","reference_type":"","scores":[{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28096","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28226","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28176","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28136","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28093","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33882"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:42Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33882","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33882"},{"reference_url":"https://github.com/advisories/GHSA-cvh3-23vq-w7h4","reference_id":"GHSA-cvh3-23vq-w7h4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cvh3-23vq-w7h4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74368?format=json","purl":"pkg:composer/statamic/cms@5.73.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16"},{"url":"http://public2.vulnerablecode.io/api/packages/74369?format=json","purl":"pkg:composer/statamic/cms@6.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2"}],"aliases":["CVE-2026-33882","GHSA-cvh3-23vq-w7h4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kjqn-zv4f-zyak"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50271?format=json","vulnerability_id":"VCID-md5z-7r9y-u7bg","summary":"Statamic affected by privilege escalation via stored cross-site scripting\nStored XSS vulnerability in `html` fieldtypes allow authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27196","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02659","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02608","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02641","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02712","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02707","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27196"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/"}],"url":"https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b"},{"reference_url":"https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/"}],"url":"https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27196","reference_id":"CVE-2026-27196","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27196"},{"reference_url":"https://github.com/advisories/GHSA-8r7r-f4gm-wcpq","reference_id":"GHSA-8r7r-f4gm-wcpq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8r7r-f4gm-wcpq"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq","reference_id":"GHSA-8r7r-f4gm-wcpq","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74164?format=json","purl":"pkg:composer/statamic/cms@5.73.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-5q2z-t8ka-nfff"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-f9mc-yupq-nkdm"},{"vulnerability":"VCID-gxvz-s2qn-uqbe"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-wjgz-btnr-67cv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.9"},{"url":"http://public2.vulnerablecode.io/api/packages/74163?format=json","purl":"pkg:composer/statamic/cms@6.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-5q2z-t8ka-nfff"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-9yv7-85t6-mkcj"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-f9mc-yupq-nkdm"},{"vulnerability":"VCID-gxvz-s2qn-uqbe"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-unnd-b7ra-jyf9"},{"vulnerability":"VCID-wjgz-btnr-67cv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.3.2"}],"aliases":["CVE-2026-27196","GHSA-8r7r-f4gm-wcpq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-md5z-7r9y-u7bg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89129?format=json","vulnerability_id":"VCID-n1wb-964r-zubv","summary":"Statamic: Unsafe method invocation via query value resolution allows data destruction\n### Impact\n\nManipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts.\n\nThe Control Panel requires authentication with minimal permissions in order to exploit. e.g. \"view entries\" permission to delete entries, or \"view users\" permission to delete users, etc.\n\nThe REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too.\n\nSites that enable the REST or GraphQL API without authentication should treat patching as critical priority.\n\n### Patches\n\nThis has been fixed in 5.73.20 and 6.13.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41175","reference_id":"","reference_type":"","scores":[{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28061","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.2819","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28141","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28101","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28057","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41175"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T13:56:00Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41175","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41175"},{"reference_url":"https://github.com/advisories/GHSA-4jjr-vmv7-wh4w","reference_id":"GHSA-4jjr-vmv7-wh4w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4jjr-vmv7-wh4w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110184?format=json","purl":"pkg:composer/statamic/cms@5.73.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.20"},{"url":"http://public2.vulnerablecode.io/api/packages/110185?format=json","purl":"pkg:composer/statamic/cms@6.13.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.13.0"}],"aliases":["CVE-2026-41175","GHSA-4jjr-vmv7-wh4w"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n1wb-964r-zubv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50113?format=json","vulnerability_id":"VCID-nax6-fhk7-rudm","summary":"Statamic CMS's missing authorization allows access to assets\nUsers without permission to view assets are able are able to download them and view their metadata.\n\nLogged-out users and users without permission to access the control panel are unable to take advantage of this.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25633","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02484","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02428","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02467","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0254","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02539","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25633"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/"}],"url":"https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a"},{"reference_url":"https://github.com/statamic/cms/pull/13883","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/pull/13883"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.6","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.6"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.2.5","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v6.2.5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25633","reference_id":"CVE-2026-25633","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25633"},{"reference_url":"https://github.com/advisories/GHSA-gwmx-9gcj-332h","reference_id":"GHSA-gwmx-9gcj-332h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gwmx-9gcj-332h"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h","reference_id":"GHSA-gwmx-9gcj-332h","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74003?format=json","purl":"pkg:composer/statamic/cms@5.73.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-5q2z-t8ka-nfff"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-f9mc-yupq-nkdm"},{"vulnerability":"VCID-gxvz-s2qn-uqbe"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-md5z-7r9y-u7bg"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-wjgz-btnr-67cv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.6"},{"url":"http://public2.vulnerablecode.io/api/packages/74004?format=json","purl":"pkg:composer/statamic/cms@6.2.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-5q2z-t8ka-nfff"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-9yv7-85t6-mkcj"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-f9mc-yupq-nkdm"},{"vulnerability":"VCID-gxvz-s2qn-uqbe"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-md5z-7r9y-u7bg"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-unnd-b7ra-jyf9"},{"vulnerability":"VCID-wjgz-btnr-67cv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.2.5"}],"aliases":["CVE-2026-25633","GHSA-gwmx-9gcj-332h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nax6-fhk7-rudm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50462?format=json","vulnerability_id":"VCID-pf25-j1qp-nygr","summary":"Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs\nAn authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability.\n\nExploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28425","reference_id":"","reference_type":"","scores":[{"value":"0.00188","scoring_system":"epss","scoring_elements":"0.40504","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00188","scoring_system":"epss","scoring_elements":"0.40489","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00188","scoring_system":"epss","scoring_elements":"0.40475","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00188","scoring_system":"epss","scoring_elements":"0.40531","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00188","scoring_system":"epss","scoring_elements":"0.40529","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28425"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.16","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.16"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.7.2","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/releases/tag/v6.7.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28425","reference_id":"CVE-2026-28425","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28425"},{"reference_url":"https://github.com/advisories/GHSA-cpv7-q2wx-m8rw","reference_id":"GHSA-cpv7-q2wx-m8rw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cpv7-q2wx-m8rw"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw","reference_id":"GHSA-cpv7-q2wx-m8rw","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:36:43Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74368?format=json","purl":"pkg:composer/statamic/cms@5.73.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16"},{"url":"http://public2.vulnerablecode.io/api/packages/74369?format=json","purl":"pkg:composer/statamic/cms@6.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2"}],"aliases":["CVE-2026-28425","GHSA-cpv7-q2wx-m8rw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pf25-j1qp-nygr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91788?format=json","vulnerability_id":"VCID-saqn-jmc9-mudb","summary":"Statamic's live preview token bypasses content protection for unrelated entries\n### Impact\nAn authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for.\n\n### Patches\nThis has been fixed in 5.73.16 and 6.7.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33884","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12212","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12317","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12316","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12281","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12199","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33884"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:37:18Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33884","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33884"},{"reference_url":"https://github.com/advisories/GHSA-8vwx-ccf6-5wg2","reference_id":"GHSA-8vwx-ccf6-5wg2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8vwx-ccf6-5wg2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74368?format=json","purl":"pkg:composer/statamic/cms@5.73.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16"},{"url":"http://public2.vulnerablecode.io/api/packages/74369?format=json","purl":"pkg:composer/statamic/cms@6.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2"}],"aliases":["CVE-2026-33884","GHSA-8vwx-ccf6-5wg2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-saqn-jmc9-mudb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91359?format=json","vulnerability_id":"VCID-tff1-wegz-pbc9","summary":"Statamic has a path traversal in file dictionary fieldtype\n### Impact\n\nAuthenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration parameter in the fieldtype's endpoint.\n\n### Patches\n\nThis has been fixed in 5.73.14 and 6.7.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33171","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06413","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06469","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06461","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06451","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06405","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33171"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T20:52:53Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33171","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33171"},{"reference_url":"https://github.com/advisories/GHSA-qm7r-wwq7-6f85","reference_id":"GHSA-qm7r-wwq7-6f85","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qm7r-wwq7-6f85"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112829?format=json","purl":"pkg:composer/statamic/cms@5.73.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-vhz9-vavp-hyb6"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14"},{"url":"http://public2.vulnerablecode.io/api/packages/112828?format=json","purl":"pkg:composer/statamic/cms@6.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-vhz9-vavp-hyb6"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0"}],"aliases":["CVE-2026-33171","GHSA-qm7r-wwq7-6f85"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tff1-wegz-pbc9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50346?format=json","vulnerability_id":"VCID-wjgz-btnr-67cv","summary":"Statamic is vulnerable to account takeover via password reset link injection\nAn attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf.\n\nThe attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27593","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04344","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04326","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04306","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04334","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04356","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27593"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/"}],"url":"https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e"},{"reference_url":"https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/"}],"url":"https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be"},{"reference_url":"https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/"}],"url":"https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.10","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.10"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.3.3","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v6.3.3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27593","reference_id":"CVE-2026-27593","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27593"},{"reference_url":"https://github.com/advisories/GHSA-jxq9-79vj-rgvw","reference_id":"GHSA-jxq9-79vj-rgvw","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jxq9-79vj-rgvw"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw","reference_id":"GHSA-jxq9-79vj-rgvw","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74235?format=json","purl":"pkg:composer/statamic/cms@5.73.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-5q2z-t8ka-nfff"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-f9mc-yupq-nkdm"},{"vulnerability":"VCID-gxvz-s2qn-uqbe"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.10"},{"url":"http://public2.vulnerablecode.io/api/packages/74236?format=json","purl":"pkg:composer/statamic/cms@6.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-vhz9-vavp-hyb6"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.1"}],"aliases":["CVE-2026-27593","GHSA-jxq9-79vj-rgvw"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wjgz-btnr-67cv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/92794?format=json","vulnerability_id":"VCID-xyrx-z921-8qdg","summary":"Statamic CMS vulnerable to email enumeration via forgot password endpoint\n### Impact\n\nResponses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks.\n\n### Patches\n\nThis has been fixed in 5.73.21 and 6.15.0. The forgot password forms now return the same generic response regardless of whether the submitted email matches a registered user.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44306","reference_id":"","reference_type":"","scores":[{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11469","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11575","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11571","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11537","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11456","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44306"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-m24v-f7g5-gq67","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T18:15:50Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-m24v-f7g5-gq67"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44306","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44306"},{"reference_url":"https://github.com/advisories/GHSA-m24v-f7g5-gq67","reference_id":"GHSA-m24v-f7g5-gq67","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m24v-f7g5-gq67"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115925?format=json","purl":"pkg:composer/statamic/cms@5.73.21","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.21"},{"url":"http://public2.vulnerablecode.io/api/packages/115926?format=json","purl":"pkg:composer/statamic/cms@6.15.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.15.0"}],"aliases":["CVE-2026-44306","GHSA-m24v-f7g5-gq67"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xyrx-z921-8qdg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45585?format=json","vulnerability_id":"VCID-yure-1mrw-jfeu","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nStatamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the `sanitize` function. Version 4.10.0 contains a patch for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36828","reference_id":"","reference_type":"","scores":[{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53538","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53563","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53575","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53567","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36828"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/"}],"url":"https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15"},{"reference_url":"https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php#L36-L40","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/"}],"url":"https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php#L36-L40"},{"reference_url":"https://github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/"}],"url":"https://github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d"},{"reference_url":"https://github.com/statamic/cms/pull/8408","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/"}],"url":"https://github.com/statamic/cms/pull/8408"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v4.10.0","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v4.10.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36828","reference_id":"CVE-2023-36828","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36828"},{"reference_url":"https://github.com/advisories/GHSA-6r5g-cq4q-327g","reference_id":"GHSA-6r5g-cq4q-327g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6r5g-cq4q-327g"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g","reference_id":"GHSA-6r5g-cq4q-327g","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/65943?format=json","purl":"pkg:composer/statamic/cms@4.10.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-2pmt-5bu3-6qfd"},{"vulnerability":"VCID-5q2z-t8ka-nfff"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-6pwu-1kkq-dkar"},{"vulnerability":"VCID-7329-yjw5-nqgx"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-7jn5-qd6y-vbg9"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-a56w-4c8c-jqd7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-f9mc-yupq-nkdm"},{"vulnerability":"VCID-gxvz-s2qn-uqbe"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-md5z-7r9y-u7bg"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-nax6-fhk7-rudm"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-wjgz-btnr-67cv"},{"vulnerability":"VCID-xyrx-z921-8qdg"},{"vulnerability":"VCID-z4dm-tpj4-5ya4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.10.0"}],"aliases":["CVE-2023-36828","GHSA-6r5g-cq4q-327g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yure-1mrw-jfeu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46463?format=json","vulnerability_id":"VCID-z4dm-tpj4-5ya4","summary":"Cross-site Scripting via uploaded assets\nStatamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the \"Forms\" feature containing an assets field, or within the control panel which requires authentication. This issue has been patched on 3.4.15 and 4.36.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48701","reference_id":"","reference_type":"","scores":[{"value":"0.00953","scoring_system":"epss","scoring_elements":"0.7679","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00953","scoring_system":"epss","scoring_elements":"0.76802","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00953","scoring_system":"epss","scoring_elements":"0.7678","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00953","scoring_system":"epss","scoring_elements":"0.76794","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00953","scoring_system":"epss","scoring_elements":"0.768","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48701"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v3.4.15","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/releases/tag/v3.4.15"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v4.36.0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/releases/tag/v4.36.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48701","reference_id":"CVE-2023-48701","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48701"},{"reference_url":"https://github.com/advisories/GHSA-8jjh-j3c2-cjcv","reference_id":"GHSA-8jjh-j3c2-cjcv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8jjh-j3c2-cjcv"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-8jjh-j3c2-cjcv","reference_id":"GHSA-8jjh-j3c2-cjcv","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-8jjh-j3c2-cjcv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67836?format=json","purl":"pkg:composer/statamic/cms@3.4.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-2pmt-5bu3-6qfd"},{"vulnerability":"VCID-5q2z-t8ka-nfff"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-6pwu-1kkq-dkar"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-7jn5-qd6y-vbg9"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-f9mc-yupq-nkdm"},{"vulnerability":"VCID-gxvz-s2qn-uqbe"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-md5z-7r9y-u7bg"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-nax6-fhk7-rudm"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-wjgz-btnr-67cv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.15"},{"url":"http://public2.vulnerablecode.io/api/packages/67837?format=json","purl":"pkg:composer/statamic/cms@4.36.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2jq7-5yxn-hubp"},{"vulnerability":"VCID-2pmt-5bu3-6qfd"},{"vulnerability":"VCID-5q2z-t8ka-nfff"},{"vulnerability":"VCID-69px-5kah-8bbx"},{"vulnerability":"VCID-6pwu-1kkq-dkar"},{"vulnerability":"VCID-7fsn-ddsh-zbac"},{"vulnerability":"VCID-7jn5-qd6y-vbg9"},{"vulnerability":"VCID-88c2-bant-c3f7"},{"vulnerability":"VCID-dcz8-ptts-fudz"},{"vulnerability":"VCID-f9mc-yupq-nkdm"},{"vulnerability":"VCID-gxvz-s2qn-uqbe"},{"vulnerability":"VCID-kjqn-zv4f-zyak"},{"vulnerability":"VCID-md5z-7r9y-u7bg"},{"vulnerability":"VCID-n1wb-964r-zubv"},{"vulnerability":"VCID-nax6-fhk7-rudm"},{"vulnerability":"VCID-pf25-j1qp-nygr"},{"vulnerability":"VCID-saqn-jmc9-mudb"},{"vulnerability":"VCID-tff1-wegz-pbc9"},{"vulnerability":"VCID-wjgz-btnr-67cv"},{"vulnerability":"VCID-xyrx-z921-8qdg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.36.0"}],"aliases":["CVE-2023-48701","GHSA-8jjh-j3c2-cjcv"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z4dm-tpj4-5ya4"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.0.36"}