{"url":"http://public2.vulnerablecode.io/api/packages/638242?format=json","purl":"pkg:composer/statamic/cms@3.3.44","type":"composer","namespace":"statamic","name":"cms","version":"3.3.44","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.73.14","latest_non_vulnerable_version":"6.18.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66092?format=json","vulnerability_id":"VCID-1fy7-n7hd-87b9","summary":"Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25633","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02452","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25633"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/pull/13883","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/pull/13883"},{"reference_url":"https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a","reference_id":"5a6f47246edf3a0c453727ffecbfa14333a6bc8a","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/"}],"url":"https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25633","reference_id":"CVE-2026-25633","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25633"},{"reference_url":"https://github.com/advisories/GHSA-gwmx-9gcj-332h","reference_id":"GHSA-gwmx-9gcj-332h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gwmx-9gcj-332h"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h","reference_id":"GHSA-gwmx-9gcj-332h","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.6","reference_id":"v5.73.6","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.6"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.2.5","reference_id":"v6.2.5","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v6.2.5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39085?format=json","purl":"pkg:composer/statamic/cms@5.73.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-nsp1-qqp9-g3g9"},{"vulnerability":"VCID-s17m-ejen-bya7"},{"vulnerability":"VCID-tys6-5sqz-dfhw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.6"},{"url":"http://public2.vulnerablecode.io/api/packages/39088?format=json","purl":"pkg:composer/statamic/cms@6.2.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-nsp1-qqp9-g3g9"},{"vulnerability":"VCID-s17m-ejen-bya7"},{"vulnerability":"VCID-tys6-5sqz-dfhw"},{"vulnerability":"VCID-w7sz-egcg-e7g5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.2.5"}],"aliases":["CVE-2026-25633","GHSA-gwmx-9gcj-332h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1fy7-n7hd-87b9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69609?format=json","vulnerability_id":"VCID-62mz-fap3-7khn","summary":"Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.16 and 6.7.2. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28425","reference_id":"","reference_type":"","scores":[{"value":"0.00188","scoring_system":"epss","scoring_elements":"0.40543","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28425"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.16","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.16"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.7.2","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/releases/tag/v6.7.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28425","reference_id":"CVE-2026-28425","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28425"},{"reference_url":"https://github.com/advisories/GHSA-cpv7-q2wx-m8rw","reference_id":"GHSA-cpv7-q2wx-m8rw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cpv7-q2wx-m8rw"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw","reference_id":"GHSA-cpv7-q2wx-m8rw","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:36:43Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.11","reference_id":"v5.73.11","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:36:43Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.11"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.4.0","reference_id":"v6.4.0","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:36:43Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v6.4.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40015?format=json","purl":"pkg:composer/statamic/cms@5.73.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16"},{"url":"http://public2.vulnerablecode.io/api/packages/40016?format=json","purl":"pkg:composer/statamic/cms@6.7.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2"}],"aliases":["CVE-2026-28425","GHSA-cpv7-q2wx-m8rw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-62mz-fap3-7khn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/357445?format=json","vulnerability_id":"VCID-94xa-dsvn-77ee","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48701","reference_id":"","reference_type":"","scores":[{"value":"0.00953","scoring_system":"epss","scoring_elements":"0.76842","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48701"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v3.4.15","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/releases/tag/v3.4.15"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v4.36.0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/releases/tag/v4.36.0"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-8jjh-j3c2-cjcv","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-8jjh-j3c2-cjcv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48701","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48701"},{"reference_url":"https://github.com/advisories/GHSA-8jjh-j3c2-cjcv","reference_id":"GHSA-8jjh-j3c2-cjcv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-8jjh-j3c2-cjcv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381115?format=json","purl":"pkg:composer/statamic/cms@3.4.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fy7-n7hd-87b9"},{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-bdpx-mypp-auge"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-nsp1-qqp9-g3g9"},{"vulnerability":"VCID-s17m-ejen-bya7"},{"vulnerability":"VCID-tys6-5sqz-dfhw"},{"vulnerability":"VCID-vb35-2r2f-cqcf"},{"vulnerability":"VCID-z2qu-kkwp-dfew"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.15"},{"url":"http://public2.vulnerablecode.io/api/packages/381116?format=json","purl":"pkg:composer/statamic/cms@4.36.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fy7-n7hd-87b9"},{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-bdpx-mypp-auge"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-nsp1-qqp9-g3g9"},{"vulnerability":"VCID-s17m-ejen-bya7"},{"vulnerability":"VCID-tys6-5sqz-dfhw"},{"vulnerability":"VCID-vb35-2r2f-cqcf"},{"vulnerability":"VCID-z2qu-kkwp-dfew"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.36.0"}],"aliases":["CVE-2023-48701","GHSA-8jjh-j3c2-cjcv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-94xa-dsvn-77ee"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61639?format=json","vulnerability_id":"VCID-bdpx-mypp-auge","summary":"Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the control panel. Additionally, if the XSS is crafted in a specific way, the \"copy password reset link\" feature may be exploited to gain access to a user's password reset token and gain access to their account. The authorized user is required to execute the XSS in order for the vulnerability to occur. In versions 4.46.0 and 3.4.17, the XSS vulnerability has been patched, and the copy password reset link functionality has been disabled.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24570","reference_id":"","reference_type":"","scores":[{"value":"0.0144","scoring_system":"epss","scoring_elements":"0.81145","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24570"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"http://seclists.org/fulldisclosure/2024/Feb/17","reference_id":"17","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/"}],"url":"http://seclists.org/fulldisclosure/2024/Feb/17"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24570","reference_id":"CVE-2024-24570","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24570"},{"reference_url":"https://github.com/advisories/GHSA-vqxq-hvxw-9mv9","reference_id":"GHSA-vqxq-hvxw-9mv9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vqxq-hvxw-9mv9"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9","reference_id":"GHSA-vqxq-hvxw-9mv9","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9"},{"reference_url":"http://packetstormsecurity.com/files/177133/Statamic-CMS-Cross-Site-Scripting.html","reference_id":"Statamic-CMS-Cross-Site-Scripting.html","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/"}],"url":"http://packetstormsecurity.com/files/177133/Statamic-CMS-Cross-Site-Scripting.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28673?format=json","purl":"pkg:composer/statamic/cms@3.4.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fy7-n7hd-87b9"},{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-nsp1-qqp9-g3g9"},{"vulnerability":"VCID-s17m-ejen-bya7"},{"vulnerability":"VCID-tys6-5sqz-dfhw"},{"vulnerability":"VCID-vb35-2r2f-cqcf"},{"vulnerability":"VCID-z2qu-kkwp-dfew"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.17"},{"url":"http://public2.vulnerablecode.io/api/packages/28675?format=json","purl":"pkg:composer/statamic/cms@4.46.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fy7-n7hd-87b9"},{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-nsp1-qqp9-g3g9"},{"vulnerability":"VCID-s17m-ejen-bya7"},{"vulnerability":"VCID-tys6-5sqz-dfhw"},{"vulnerability":"VCID-vb35-2r2f-cqcf"},{"vulnerability":"VCID-z2qu-kkwp-dfew"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.46.0"}],"aliases":["CVE-2024-24570","GHSA-vqxq-hvxw-9mv9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bdpx-mypp-auge"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/136323?format=json","vulnerability_id":"VCID-etr9-3n87-d3ch","summary":"Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the `sanitize` function. Version 4.10.0 contains a patch for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36828","reference_id":"","reference_type":"","scores":[{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.5363","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36828"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36828","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36828"},{"reference_url":"https://github.com/statamic/cms/pull/8408","reference_id":"8408","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/"}],"url":"https://github.com/statamic/cms/pull/8408"},{"reference_url":"https://github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d","reference_id":"c714893ad92de6e5ede17b501003441af505b30d","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/"}],"url":"https://github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d"},{"reference_url":"https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15","reference_id":"FilesFieldtypeController.php#L15","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/"}],"url":"https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15"},{"reference_url":"https://github.com/advisories/GHSA-6r5g-cq4q-327g","reference_id":"GHSA-6r5g-cq4q-327g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6r5g-cq4q-327g"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g","reference_id":"GHSA-6r5g-cq4q-327g","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g"},{"reference_url":"https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php#L36-L40","reference_id":"Svg.php#L36-L40","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/"}],"url":"https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php#L36-L40"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v4.10.0","reference_id":"v4.10.0","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T17:58:24Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v4.10.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381322?format=json","purl":"pkg:composer/statamic/cms@4.10.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fy7-n7hd-87b9"},{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-94xa-dsvn-77ee"},{"vulnerability":"VCID-bdpx-mypp-auge"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-n3wy-rvyw-m7dc"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-nsp1-qqp9-g3g9"},{"vulnerability":"VCID-rnrk-n64t-ybhw"},{"vulnerability":"VCID-s17m-ejen-bya7"},{"vulnerability":"VCID-tys6-5sqz-dfhw"},{"vulnerability":"VCID-vb35-2r2f-cqcf"},{"vulnerability":"VCID-z2qu-kkwp-dfew"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.10.0"}],"aliases":["CVE-2023-36828","GHSA-6r5g-cq4q-327g"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-etr9-3n87-d3ch"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69390?format=json","vulnerability_id":"VCID-gxn8-7hm9-g3b3","summary":"Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28426","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02132","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28426"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28426","reference_id":"CVE-2026-28426","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28426"},{"reference_url":"https://github.com/advisories/GHSA-5vrj-wf7v-5wr7","reference_id":"GHSA-5vrj-wf7v-5wr7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5vrj-wf7v-5wr7"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7","reference_id":"GHSA-5vrj-wf7v-5wr7","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.11","reference_id":"v5.73.11","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.11"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.4.0","reference_id":"v6.4.0","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v6.4.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40013?format=json","purl":"pkg:composer/statamic/cms@5.73.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-62mz-fap3-7khn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11"},{"url":"http://public2.vulnerablecode.io/api/packages/39982?format=json","purl":"pkg:composer/statamic/cms@6.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-62mz-fap3-7khn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0"}],"aliases":["CVE-2026-28426","GHSA-5vrj-wf7v-5wr7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gxn8-7hm9-g3b3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/146484?format=json","vulnerability_id":"VCID-n3wy-rvyw-m7dc","summary":"Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the \"Forms\" feature, and asset upload fields in the control panel. Malicious users could leverage this vulnerability to upload and execute code. This issue has been patched in versions 3.4.14 and 4.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48217","reference_id":"","reference_type":"","scores":[{"value":"0.01048","scoring_system":"epss","scoring_elements":"0.77933","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48217"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/commit/da28afde818d605179fbb63b96eabafabad876b6","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/commit/da28afde818d605179fbb63b96eabafabad876b6"},{"reference_url":"https://github.com/statamic/cms/pull/8991","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/pull/8991"},{"reference_url":"https://github.com/statamic/cms/pull/8992","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/pull/8992"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v3.4.14","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/releases/tag/v3.4.14"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v4.34.0","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/releases/tag/v4.34.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48217","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48217"},{"reference_url":"https://github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411","reference_id":"4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-30T14:01:51Z/"}],"url":"https://github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411"},{"reference_url":"https://github.com/advisories/GHSA-2r53-9295-3m86","reference_id":"GHSA-2r53-9295-3m86","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2r53-9295-3m86"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86","reference_id":"GHSA-2r53-9295-3m86","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-30T14:01:51Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381166?format=json","purl":"pkg:composer/statamic/cms@3.4.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fy7-n7hd-87b9"},{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-94xa-dsvn-77ee"},{"vulnerability":"VCID-bdpx-mypp-auge"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-nsp1-qqp9-g3g9"},{"vulnerability":"VCID-s17m-ejen-bya7"},{"vulnerability":"VCID-tys6-5sqz-dfhw"},{"vulnerability":"VCID-vb35-2r2f-cqcf"},{"vulnerability":"VCID-z2qu-kkwp-dfew"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.14"},{"url":"http://public2.vulnerablecode.io/api/packages/638279?format=json","purl":"pkg:composer/statamic/cms@4.0.0-alpha.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fy7-n7hd-87b9"},{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-etr9-3n87-d3ch"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-nsp1-qqp9-g3g9"},{"vulnerability":"VCID-s17m-ejen-bya7"},{"vulnerability":"VCID-tys6-5sqz-dfhw"},{"vulnerability":"VCID-vb35-2r2f-cqcf"},{"vulnerability":"VCID-z2qu-kkwp-dfew"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.0.0-alpha.1"},{"url":"http://public2.vulnerablecode.io/api/packages/381165?format=json","purl":"pkg:composer/statamic/cms@4.34.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fy7-n7hd-87b9"},{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-94xa-dsvn-77ee"},{"vulnerability":"VCID-bdpx-mypp-auge"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-nsp1-qqp9-g3g9"},{"vulnerability":"VCID-s17m-ejen-bya7"},{"vulnerability":"VCID-tys6-5sqz-dfhw"},{"vulnerability":"VCID-vb35-2r2f-cqcf"},{"vulnerability":"VCID-z2qu-kkwp-dfew"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.34.0"}],"aliases":["CVE-2023-48217","GHSA-2r53-9295-3m86"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n3wy-rvyw-m7dc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69196?format=json","vulnerability_id":"VCID-nqhe-2h4b-wkc1","summary":"Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28423","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07359","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28423"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28423","reference_id":"CVE-2026-28423","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28423"},{"reference_url":"https://github.com/advisories/GHSA-cwpp-325q-2cvp","reference_id":"GHSA-cwpp-325q-2cvp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cwpp-325q-2cvp"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp","reference_id":"GHSA-cwpp-325q-2cvp","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.11","reference_id":"v5.73.11","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.11"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.4.0","reference_id":"v6.4.0","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v6.4.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40013?format=json","purl":"pkg:composer/statamic/cms@5.73.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-62mz-fap3-7khn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11"},{"url":"http://public2.vulnerablecode.io/api/packages/39982?format=json","purl":"pkg:composer/statamic/cms@6.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-62mz-fap3-7khn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0"}],"aliases":["CVE-2026-28423","GHSA-cwpp-325q-2cvp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nqhe-2h4b-wkc1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80238?format=json","vulnerability_id":"VCID-nsp1-qqp9-g3g9","summary":"Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset. This has been fixed in 6.3.3 and 5.73.10.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27593","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04353","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27593"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e","reference_id":"6fdd03324982848e8754f2edd2265262d361714e","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/"}],"url":"https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e"},{"reference_url":"https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be","reference_id":"78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/"}],"url":"https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be"},{"reference_url":"https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0","reference_id":"b2be592ddfb588bcb88c9be454f3590e14b145b0","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/"}],"url":"https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27593","reference_id":"CVE-2026-27593","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27593"},{"reference_url":"https://github.com/advisories/GHSA-jxq9-79vj-rgvw","reference_id":"GHSA-jxq9-79vj-rgvw","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jxq9-79vj-rgvw"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw","reference_id":"GHSA-jxq9-79vj-rgvw","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.10","reference_id":"v5.73.10","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.10"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.3.3","reference_id":"v6.3.3","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v6.3.3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39799?format=json","purl":"pkg:composer/statamic/cms@5.73.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-tys6-5sqz-dfhw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.10"},{"url":"http://public2.vulnerablecode.io/api/packages/39802?format=json","purl":"pkg:composer/statamic/cms@6.7.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.1"}],"aliases":["CVE-2026-27593","GHSA-jxq9-79vj-rgvw"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nsp1-qqp9-g3g9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/147810?format=json","vulnerability_id":"VCID-rnrk-n64t-ybhw","summary":"Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the \"Forms\" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-47129","reference_id":"","reference_type":"","scores":[{"value":"0.05963","scoring_system":"epss","scoring_elements":"0.90861","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-47129"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-47129","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-47129"},{"reference_url":"https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75","reference_id":"098ef8024d97286ca501273c18ae75b646262d75","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/"}],"url":"https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75"},{"reference_url":"https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77","reference_id":"f6c688154f6bdbd0b67039f8f11dcd98ba061e77","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/"}],"url":"https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77"},{"reference_url":"https://github.com/advisories/GHSA-72hg-5wr5-rmfc","reference_id":"GHSA-72hg-5wr5-rmfc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-72hg-5wr5-rmfc"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc","reference_id":"GHSA-72hg-5wr5-rmfc","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381089?format=json","purl":"pkg:composer/statamic/cms@3.4.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fy7-n7hd-87b9"},{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-94xa-dsvn-77ee"},{"vulnerability":"VCID-bdpx-mypp-auge"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-n3wy-rvyw-m7dc"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-nsp1-qqp9-g3g9"},{"vulnerability":"VCID-s17m-ejen-bya7"},{"vulnerability":"VCID-tys6-5sqz-dfhw"},{"vulnerability":"VCID-vb35-2r2f-cqcf"},{"vulnerability":"VCID-z2qu-kkwp-dfew"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.13"},{"url":"http://public2.vulnerablecode.io/api/packages/381088?format=json","purl":"pkg:composer/statamic/cms@4.33.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fy7-n7hd-87b9"},{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-94xa-dsvn-77ee"},{"vulnerability":"VCID-bdpx-mypp-auge"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-n3wy-rvyw-m7dc"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-nsp1-qqp9-g3g9"},{"vulnerability":"VCID-s17m-ejen-bya7"},{"vulnerability":"VCID-tys6-5sqz-dfhw"},{"vulnerability":"VCID-vb35-2r2f-cqcf"},{"vulnerability":"VCID-z2qu-kkwp-dfew"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.33.0"}],"aliases":["CVE-2023-47129","GHSA-72hg-5wr5-rmfc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rnrk-n64t-ybhw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/79707?format=json","vulnerability_id":"VCID-s17m-ejen-bya7","summary":"Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This issue has been fixed in 6.3.2 and 5.73.9.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27196","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02632","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27196"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b","reference_id":"11ae40e62edd3da044d37ebf264757a09cc2347b","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/"}],"url":"https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b"},{"reference_url":"https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3","reference_id":"6c270dacc2be02bfc2eee500766f3309f59d47b3","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/"}],"url":"https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27196","reference_id":"CVE-2026-27196","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27196"},{"reference_url":"https://github.com/advisories/GHSA-8r7r-f4gm-wcpq","reference_id":"GHSA-8r7r-f4gm-wcpq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8r7r-f4gm-wcpq"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq","reference_id":"GHSA-8r7r-f4gm-wcpq","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39452?format=json","purl":"pkg:composer/statamic/cms@5.73.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-nsp1-qqp9-g3g9"},{"vulnerability":"VCID-tys6-5sqz-dfhw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.9"},{"url":"http://public2.vulnerablecode.io/api/packages/39453?format=json","purl":"pkg:composer/statamic/cms@6.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-nsp1-qqp9-g3g9"},{"vulnerability":"VCID-tys6-5sqz-dfhw"},{"vulnerability":"VCID-w7sz-egcg-e7g5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.3.2"}],"aliases":["CVE-2026-27196","GHSA-8r7r-f4gm-wcpq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s17m-ejen-bya7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69194?format=json","vulnerability_id":"VCID-tys6-5sqz-dfhw","summary":"Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the \"view users\" permission. This has been fixed in 5.73.11 and 6.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28424","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13194","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28424"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28424","reference_id":"CVE-2026-28424","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28424"},{"reference_url":"https://github.com/advisories/GHSA-w878-f8c6-7r63","reference_id":"GHSA-w878-f8c6-7r63","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w878-f8c6-7r63"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63","reference_id":"GHSA-w878-f8c6-7r63","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.11","reference_id":"v5.73.11","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.11"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.4.0","reference_id":"v6.4.0","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v6.4.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40013?format=json","purl":"pkg:composer/statamic/cms@5.73.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-62mz-fap3-7khn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11"},{"url":"http://public2.vulnerablecode.io/api/packages/39982?format=json","purl":"pkg:composer/statamic/cms@6.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-62mz-fap3-7khn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0"}],"aliases":["CVE-2026-28424","GHSA-w878-f8c6-7r63"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tys6-5sqz-dfhw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90983?format=json","vulnerability_id":"VCID-vb35-2r2f-cqcf","summary":"Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fixed in 5.22.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64112","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.10988","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64112"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.22.1","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/releases/tag/v5.22.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64112","reference_id":"CVE-2025-64112","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64112"},{"reference_url":"https://github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1","reference_id":"e513751f433679ce698606e20c554a0c839987c1","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-30T17:57:49Z/"}],"url":"https://github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1"},{"reference_url":"https://github.com/advisories/GHSA-g59r-24g3-h7cm","reference_id":"GHSA-g59r-24g3-h7cm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g59r-24g3-h7cm"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-g59r-24g3-h7cm","reference_id":"GHSA-g59r-24g3-h7cm","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-30T17:57:49Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-g59r-24g3-h7cm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34935?format=json","purl":"pkg:composer/statamic/cms@5.22.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fy7-n7hd-87b9"},{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-nsp1-qqp9-g3g9"},{"vulnerability":"VCID-s17m-ejen-bya7"},{"vulnerability":"VCID-tys6-5sqz-dfhw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.22.1"}],"aliases":["CVE-2025-64112","GHSA-g59r-24g3-h7cm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vb35-2r2f-cqcf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43730?format=json","vulnerability_id":"VCID-z2qu-kkwp-dfew","summary":"Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. The issue affects front-end forms with `assets` fields and other places where assets can be uploaded, although users would need upload permissions anyway. Files can be uploaded so they would be located on the server in a different location, and potentially override existing files. Traversal outside an asset container is not possible. This path traversal vulnerability has been fixed in 5.17.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52600","reference_id":"","reference_type":"","scores":[{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.60225","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52600"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52600","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52600"},{"reference_url":"https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d","reference_id":"0c07c10009a2439c8ee56c8faefd1319dc6e388d","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/"}],"url":"https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d"},{"reference_url":"https://github.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346da","reference_id":"400875b20f40e1343699d536a432a6fc284346da","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/"}],"url":"https://github.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346da"},{"reference_url":"https://github.com/statamic/cms/commit/4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d","reference_id":"4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/"}],"url":"https://github.com/statamic/cms/commit/4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d"},{"reference_url":"https://github.com/advisories/GHSA-p7f6-8mcm-fwv3","reference_id":"GHSA-p7f6-8mcm-fwv3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-p7f6-8mcm-fwv3"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-p7f6-8mcm-fwv3","reference_id":"GHSA-p7f6-8mcm-fwv3","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-p7f6-8mcm-fwv3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372872?format=json","purl":"pkg:composer/statamic/cms@5.17.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fy7-n7hd-87b9"},{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-nsp1-qqp9-g3g9"},{"vulnerability":"VCID-s17m-ejen-bya7"},{"vulnerability":"VCID-tys6-5sqz-dfhw"},{"vulnerability":"VCID-vb35-2r2f-cqcf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.17.0"}],"aliases":["CVE-2024-52600","GHSA-p7f6-8mcm-fwv3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z2qu-kkwp-dfew"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.3.44"}