Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/statamic/cms@3.4.12
Typecomposer
Namespacestatamic
Namecms
Version3.4.12
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version5.73.21
Latest_non_vulnerable_version6.18.1
Affected_by_vulnerabilities
0
url VCID-1fy7-n7hd-87b9
vulnerability_id VCID-1fy7-n7hd-87b9
summary Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25633
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02454
published_at 2026-06-12T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02452
published_at 2026-06-11T12:55:00Z
2
value 0.00015
scoring_system epss
scoring_elements 0.03135
published_at 2026-06-13T12:55:00Z
3
value 0.00015
scoring_system epss
scoring_elements 0.03148
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25633
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/pull/13883
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/pull/13883
3
reference_url https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a
reference_id 5a6f47246edf3a0c453727ffecbfa14333a6bc8a
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/
url https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25633
reference_id CVE-2026-25633
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25633
5
reference_url https://github.com/advisories/GHSA-gwmx-9gcj-332h
reference_id GHSA-gwmx-9gcj-332h
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gwmx-9gcj-332h
6
reference_url https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h
reference_id GHSA-gwmx-9gcj-332h
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/
url https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h
7
reference_url https://github.com/statamic/cms/releases/tag/v5.73.6
reference_id v5.73.6
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/
url https://github.com/statamic/cms/releases/tag/v5.73.6
8
reference_url https://github.com/statamic/cms/releases/tag/v6.2.5
reference_id v6.2.5
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/
url https://github.com/statamic/cms/releases/tag/v6.2.5
fixed_packages
0
url pkg:composer/statamic/cms@5.73.6
purl pkg:composer/statamic/cms@5.73.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-3afh-kvfu-q3f6
2
vulnerability VCID-5vp8-dye1-wbd9
3
vulnerability VCID-62mz-fap3-7khn
4
vulnerability VCID-9chh-y51z-uqdy
5
vulnerability VCID-acat-8pec-yycn
6
vulnerability VCID-c8nx-d391-63bw
7
vulnerability VCID-crhs-g4rj-y3du
8
vulnerability VCID-g8pq-2yub-kkc8
9
vulnerability VCID-gxn8-7hm9-g3b3
10
vulnerability VCID-kajb-u17y-7ufu
11
vulnerability VCID-nqhe-2h4b-wkc1
12
vulnerability VCID-nsp1-qqp9-g3g9
13
vulnerability VCID-pxjn-93a2-53fs
14
vulnerability VCID-s17m-ejen-bya7
15
vulnerability VCID-tys6-5sqz-dfhw
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.6
1
url pkg:composer/statamic/cms@6.2.5
purl pkg:composer/statamic/cms@6.2.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-3afh-kvfu-q3f6
2
vulnerability VCID-3zh8-e7tr-gye9
3
vulnerability VCID-5vp8-dye1-wbd9
4
vulnerability VCID-62mz-fap3-7khn
5
vulnerability VCID-9chh-y51z-uqdy
6
vulnerability VCID-acat-8pec-yycn
7
vulnerability VCID-c8nx-d391-63bw
8
vulnerability VCID-crhs-g4rj-y3du
9
vulnerability VCID-g8pq-2yub-kkc8
10
vulnerability VCID-gxn8-7hm9-g3b3
11
vulnerability VCID-kajb-u17y-7ufu
12
vulnerability VCID-nqhe-2h4b-wkc1
13
vulnerability VCID-nsp1-qqp9-g3g9
14
vulnerability VCID-pxjn-93a2-53fs
15
vulnerability VCID-s17m-ejen-bya7
16
vulnerability VCID-tys6-5sqz-dfhw
17
vulnerability VCID-w7sz-egcg-e7g5
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.2.5
aliases CVE-2026-25633, GHSA-gwmx-9gcj-332h
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1fy7-n7hd-87b9
1
url VCID-2ueq-n7pd-1yav
vulnerability_id VCID-2ueq-n7pd-1yav
summary Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel requires authentication with minimal permissions in order to exploit. e.g. "view entries" permission to delete entries, or "view users" permission to delete users, etc. The REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too. Sites that enable the REST or GraphQL API without authentication should treat patching as critical priority. This has been fixed in 5.73.20 and 6.13.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41175
reference_id
reference_type
scores
0
value 0.00105
scoring_system epss
scoring_elements 0.283
published_at 2026-06-14T12:55:00Z
1
value 0.00105
scoring_system epss
scoring_elements 0.28087
published_at 2026-06-11T12:55:00Z
2
value 0.00105
scoring_system epss
scoring_elements 0.28308
published_at 2026-06-13T12:55:00Z
3
value 0.00105
scoring_system epss
scoring_elements 0.28284
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41175
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41175
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41175
3
reference_url https://github.com/advisories/GHSA-4jjr-vmv7-wh4w
reference_id GHSA-4jjr-vmv7-wh4w
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4jjr-vmv7-wh4w
4
reference_url https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w
reference_id GHSA-4jjr-vmv7-wh4w
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T13:56:00Z/
url https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w
fixed_packages
0
url pkg:composer/statamic/cms@5.73.20
purl pkg:composer/statamic/cms@5.73.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g8pq-2yub-kkc8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.20
1
url pkg:composer/statamic/cms@6.13.0
purl pkg:composer/statamic/cms@6.13.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g8pq-2yub-kkc8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.13.0
aliases CVE-2026-41175, GHSA-4jjr-vmv7-wh4w
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2ueq-n7pd-1yav
2
url VCID-3afh-kvfu-q3f6
vulnerability_id VCID-3afh-kvfu-q3f6
summary Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33172
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02517
published_at 2026-06-13T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02524
published_at 2026-06-11T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02527
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33172
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33172
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33172
3
reference_url https://github.com/advisories/GHSA-7rcv-55mj-chg7
reference_id GHSA-7rcv-55mj-chg7
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7rcv-55mj-chg7
4
reference_url https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7
reference_id GHSA-7rcv-55mj-chg7
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:46:09Z/
url https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7
fixed_packages
0
url pkg:composer/statamic/cms@5.73.14
purl pkg:composer/statamic/cms@5.73.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-53nt-msa9-p7b2
2
vulnerability VCID-9chh-y51z-uqdy
3
vulnerability VCID-acat-8pec-yycn
4
vulnerability VCID-c8nx-d391-63bw
5
vulnerability VCID-crhs-g4rj-y3du
6
vulnerability VCID-g8pq-2yub-kkc8
7
vulnerability VCID-kajb-u17y-7ufu
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14
1
url pkg:composer/statamic/cms@6.7.0
purl pkg:composer/statamic/cms@6.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-53nt-msa9-p7b2
2
vulnerability VCID-9chh-y51z-uqdy
3
vulnerability VCID-acat-8pec-yycn
4
vulnerability VCID-c8nx-d391-63bw
5
vulnerability VCID-crhs-g4rj-y3du
6
vulnerability VCID-g8pq-2yub-kkc8
7
vulnerability VCID-kajb-u17y-7ufu
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0
aliases CVE-2026-33172, GHSA-7rcv-55mj-chg7
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3afh-kvfu-q3f6
3
url VCID-5vp8-dye1-wbd9
vulnerability_id VCID-5vp8-dye1-wbd9
summary Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration parameter in the fieldtype's endpoint. This has been fixed in 5.73.14 and 6.7.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33171
reference_id
reference_type
scores
0
value 0.00022
scoring_system epss
scoring_elements 0.06461
published_at 2026-06-12T12:55:00Z
1
value 0.00022
scoring_system epss
scoring_elements 0.06429
published_at 2026-06-14T12:55:00Z
2
value 0.00022
scoring_system epss
scoring_elements 0.06442
published_at 2026-06-11T12:55:00Z
3
value 0.00022
scoring_system epss
scoring_elements 0.0645
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33171
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33171
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33171
3
reference_url https://github.com/advisories/GHSA-qm7r-wwq7-6f85
reference_id GHSA-qm7r-wwq7-6f85
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qm7r-wwq7-6f85
4
reference_url https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85
reference_id GHSA-qm7r-wwq7-6f85
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T20:52:53Z/
url https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85
fixed_packages
0
url pkg:composer/statamic/cms@5.73.14
purl pkg:composer/statamic/cms@5.73.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-53nt-msa9-p7b2
2
vulnerability VCID-9chh-y51z-uqdy
3
vulnerability VCID-acat-8pec-yycn
4
vulnerability VCID-c8nx-d391-63bw
5
vulnerability VCID-crhs-g4rj-y3du
6
vulnerability VCID-g8pq-2yub-kkc8
7
vulnerability VCID-kajb-u17y-7ufu
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14
1
url pkg:composer/statamic/cms@6.7.0
purl pkg:composer/statamic/cms@6.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-53nt-msa9-p7b2
2
vulnerability VCID-9chh-y51z-uqdy
3
vulnerability VCID-acat-8pec-yycn
4
vulnerability VCID-c8nx-d391-63bw
5
vulnerability VCID-crhs-g4rj-y3du
6
vulnerability VCID-g8pq-2yub-kkc8
7
vulnerability VCID-kajb-u17y-7ufu
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0
aliases CVE-2026-33171, GHSA-qm7r-wwq7-6f85
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5vp8-dye1-wbd9
4
url VCID-62mz-fap3-7khn
vulnerability_id VCID-62mz-fap3-7khn
summary Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.16 and 6.7.2. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28425
reference_id
reference_type
scores
0
value 0.00188
scoring_system epss
scoring_elements 0.40734
published_at 2026-06-13T12:55:00Z
1
value 0.00188
scoring_system epss
scoring_elements 0.4072
published_at 2026-06-14T12:55:00Z
2
value 0.00188
scoring_system epss
scoring_elements 0.4071
published_at 2026-06-12T12:55:00Z
3
value 0.00188
scoring_system epss
scoring_elements 0.40543
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28425
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/releases/tag/v5.73.16
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/releases/tag/v5.73.16
3
reference_url https://github.com/statamic/cms/releases/tag/v6.7.2
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/releases/tag/v6.7.2
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28425
reference_id CVE-2026-28425
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28425
5
reference_url https://github.com/advisories/GHSA-cpv7-q2wx-m8rw
reference_id GHSA-cpv7-q2wx-m8rw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cpv7-q2wx-m8rw
6
reference_url https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw
reference_id GHSA-cpv7-q2wx-m8rw
reference_type
scores
0
value 8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:36:43Z/
url https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw
7
reference_url https://github.com/statamic/cms/releases/tag/v5.73.11
reference_id v5.73.11
reference_type
scores
0
value 8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:36:43Z/
url https://github.com/statamic/cms/releases/tag/v5.73.11
8
reference_url https://github.com/statamic/cms/releases/tag/v6.4.0
reference_id v6.4.0
reference_type
scores
0
value 8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:36:43Z/
url https://github.com/statamic/cms/releases/tag/v6.4.0
fixed_packages
0
url pkg:composer/statamic/cms@5.73.16
purl pkg:composer/statamic/cms@5.73.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-g8pq-2yub-kkc8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16
1
url pkg:composer/statamic/cms@6.7.2
purl pkg:composer/statamic/cms@6.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-g8pq-2yub-kkc8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2
aliases CVE-2026-28425, GHSA-cpv7-q2wx-m8rw
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-62mz-fap3-7khn
5
url VCID-94xa-dsvn-77ee
vulnerability_id VCID-94xa-dsvn-77ee
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-48701
reference_id
reference_type
scores
0
value 0.00953
scoring_system epss
scoring_elements 0.76842
published_at 2026-06-11T12:55:00Z
1
value 0.00953
scoring_system epss
scoring_elements 0.76912
published_at 2026-06-12T12:55:00Z
2
value 0.00953
scoring_system epss
scoring_elements 0.76927
published_at 2026-06-13T12:55:00Z
3
value 0.00953
scoring_system epss
scoring_elements 0.7692
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-48701
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/releases/tag/v3.4.15
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/releases/tag/v3.4.15
3
reference_url https://github.com/statamic/cms/releases/tag/v4.36.0
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/releases/tag/v4.36.0
4
reference_url https://github.com/statamic/cms/security/advisories/GHSA-8jjh-j3c2-cjcv
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/security/advisories/GHSA-8jjh-j3c2-cjcv
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-48701
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-48701
6
reference_url https://github.com/advisories/GHSA-8jjh-j3c2-cjcv
reference_id GHSA-8jjh-j3c2-cjcv
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8jjh-j3c2-cjcv
fixed_packages
0
url pkg:composer/statamic/cms@3.4.15
purl pkg:composer/statamic/cms@3.4.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fy7-n7hd-87b9
1
vulnerability VCID-2ueq-n7pd-1yav
2
vulnerability VCID-3afh-kvfu-q3f6
3
vulnerability VCID-5vp8-dye1-wbd9
4
vulnerability VCID-62mz-fap3-7khn
5
vulnerability VCID-9chh-y51z-uqdy
6
vulnerability VCID-acat-8pec-yycn
7
vulnerability VCID-bdpx-mypp-auge
8
vulnerability VCID-c8nx-d391-63bw
9
vulnerability VCID-crhs-g4rj-y3du
10
vulnerability VCID-g8pq-2yub-kkc8
11
vulnerability VCID-gxn8-7hm9-g3b3
12
vulnerability VCID-kajb-u17y-7ufu
13
vulnerability VCID-nqhe-2h4b-wkc1
14
vulnerability VCID-nsp1-qqp9-g3g9
15
vulnerability VCID-pxjn-93a2-53fs
16
vulnerability VCID-s17m-ejen-bya7
17
vulnerability VCID-tys6-5sqz-dfhw
18
vulnerability VCID-vb35-2r2f-cqcf
19
vulnerability VCID-z2qu-kkwp-dfew
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.15
1
url pkg:composer/statamic/cms@4.36.0
purl pkg:composer/statamic/cms@4.36.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fy7-n7hd-87b9
1
vulnerability VCID-2ueq-n7pd-1yav
2
vulnerability VCID-3afh-kvfu-q3f6
3
vulnerability VCID-5vp8-dye1-wbd9
4
vulnerability VCID-62mz-fap3-7khn
5
vulnerability VCID-9chh-y51z-uqdy
6
vulnerability VCID-acat-8pec-yycn
7
vulnerability VCID-bdpx-mypp-auge
8
vulnerability VCID-c8nx-d391-63bw
9
vulnerability VCID-crhs-g4rj-y3du
10
vulnerability VCID-g8pq-2yub-kkc8
11
vulnerability VCID-gxn8-7hm9-g3b3
12
vulnerability VCID-kajb-u17y-7ufu
13
vulnerability VCID-nqhe-2h4b-wkc1
14
vulnerability VCID-nsp1-qqp9-g3g9
15
vulnerability VCID-pxjn-93a2-53fs
16
vulnerability VCID-s17m-ejen-bya7
17
vulnerability VCID-tys6-5sqz-dfhw
18
vulnerability VCID-vb35-2r2f-cqcf
19
vulnerability VCID-z2qu-kkwp-dfew
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.36.0
aliases CVE-2023-48701, GHSA-8jjh-j3c2-cjcv
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-94xa-dsvn-77ee
6
url VCID-9chh-y51z-uqdy
vulnerability_id VCID-9chh-y51z-uqdy
summary Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the `user:reset_password_form` tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser. This has been fixed in 5.73.16 and 6.7.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33883
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12907
published_at 2026-06-12T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.12899
published_at 2026-06-14T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.12811
published_at 2026-06-11T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.12918
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33883
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33883
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33883
3
reference_url https://github.com/advisories/GHSA-3jg4-p23x-p4qx
reference_id GHSA-3jg4-p23x-p4qx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3jg4-p23x-p4qx
4
reference_url https://github.com/statamic/cms/security/advisories/GHSA-3jg4-p23x-p4qx
reference_id GHSA-3jg4-p23x-p4qx
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:56:43Z/
url https://github.com/statamic/cms/security/advisories/GHSA-3jg4-p23x-p4qx
fixed_packages
0
url pkg:composer/statamic/cms@5.73.16
purl pkg:composer/statamic/cms@5.73.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-g8pq-2yub-kkc8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16
1
url pkg:composer/statamic/cms@6.7.2
purl pkg:composer/statamic/cms@6.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-g8pq-2yub-kkc8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2
aliases CVE-2026-33883, GHSA-3jg4-p23x-p4qx
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9chh-y51z-uqdy
7
url VCID-acat-8pec-yycn
vulnerability_id VCID-acat-8pec-yycn
summary Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. This has been fixed in 5.73.16 and 6.7.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33885
reference_id
reference_type
scores
0
value 0.00052
scoring_system epss
scoring_elements 0.16768
published_at 2026-06-14T12:55:00Z
1
value 0.00052
scoring_system epss
scoring_elements 0.16632
published_at 2026-06-11T12:55:00Z
2
value 0.00052
scoring_system epss
scoring_elements 0.16794
published_at 2026-06-13T12:55:00Z
3
value 0.00052
scoring_system epss
scoring_elements 0.16781
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33885
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33885
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33885
3
reference_url https://github.com/advisories/GHSA-7f74-7q5w-hj4r
reference_id GHSA-7f74-7q5w-hj4r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7f74-7q5w-hj4r
4
reference_url https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r
reference_id GHSA-7f74-7q5w-hj4r
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:59:41Z/
url https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r
fixed_packages
0
url pkg:composer/statamic/cms@5.73.16
purl pkg:composer/statamic/cms@5.73.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-g8pq-2yub-kkc8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16
1
url pkg:composer/statamic/cms@6.7.2
purl pkg:composer/statamic/cms@6.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-g8pq-2yub-kkc8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2
aliases CVE-2026-33885, GHSA-7f74-7q5w-hj4r
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-acat-8pec-yycn
8
url VCID-bdpx-mypp-auge
vulnerability_id VCID-bdpx-mypp-auge
summary Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the control panel. Additionally, if the XSS is crafted in a specific way, the "copy password reset link" feature may be exploited to gain access to a user's password reset token and gain access to their account. The authorized user is required to execute the XSS in order for the vulnerability to occur. In versions 4.46.0 and 3.4.17, the XSS vulnerability has been patched, and the copy password reset link functionality has been disabled.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-24570
reference_id
reference_type
scores
0
value 0.0144
scoring_system epss
scoring_elements 0.81205
published_at 2026-06-12T12:55:00Z
1
value 0.0144
scoring_system epss
scoring_elements 0.81204
published_at 2026-06-14T12:55:00Z
2
value 0.0144
scoring_system epss
scoring_elements 0.81214
published_at 2026-06-13T12:55:00Z
3
value 0.0144
scoring_system epss
scoring_elements 0.81145
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-24570
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url http://seclists.org/fulldisclosure/2024/Feb/17
reference_id 17
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/
url http://seclists.org/fulldisclosure/2024/Feb/17
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-24570
reference_id CVE-2024-24570
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-24570
4
reference_url https://github.com/advisories/GHSA-vqxq-hvxw-9mv9
reference_id GHSA-vqxq-hvxw-9mv9
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vqxq-hvxw-9mv9
5
reference_url https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9
reference_id GHSA-vqxq-hvxw-9mv9
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/
url https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9
6
reference_url http://packetstormsecurity.com/files/177133/Statamic-CMS-Cross-Site-Scripting.html
reference_id Statamic-CMS-Cross-Site-Scripting.html
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:19:41Z/
url http://packetstormsecurity.com/files/177133/Statamic-CMS-Cross-Site-Scripting.html
fixed_packages
0
url pkg:composer/statamic/cms@3.4.17
purl pkg:composer/statamic/cms@3.4.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fy7-n7hd-87b9
1
vulnerability VCID-2ueq-n7pd-1yav
2
vulnerability VCID-3afh-kvfu-q3f6
3
vulnerability VCID-5vp8-dye1-wbd9
4
vulnerability VCID-62mz-fap3-7khn
5
vulnerability VCID-9chh-y51z-uqdy
6
vulnerability VCID-acat-8pec-yycn
7
vulnerability VCID-c8nx-d391-63bw
8
vulnerability VCID-crhs-g4rj-y3du
9
vulnerability VCID-g8pq-2yub-kkc8
10
vulnerability VCID-gxn8-7hm9-g3b3
11
vulnerability VCID-kajb-u17y-7ufu
12
vulnerability VCID-nqhe-2h4b-wkc1
13
vulnerability VCID-nsp1-qqp9-g3g9
14
vulnerability VCID-pxjn-93a2-53fs
15
vulnerability VCID-s17m-ejen-bya7
16
vulnerability VCID-tys6-5sqz-dfhw
17
vulnerability VCID-vb35-2r2f-cqcf
18
vulnerability VCID-z2qu-kkwp-dfew
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.17
1
url pkg:composer/statamic/cms@4.46.0
purl pkg:composer/statamic/cms@4.46.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fy7-n7hd-87b9
1
vulnerability VCID-2ueq-n7pd-1yav
2
vulnerability VCID-3afh-kvfu-q3f6
3
vulnerability VCID-5vp8-dye1-wbd9
4
vulnerability VCID-62mz-fap3-7khn
5
vulnerability VCID-9chh-y51z-uqdy
6
vulnerability VCID-acat-8pec-yycn
7
vulnerability VCID-c8nx-d391-63bw
8
vulnerability VCID-crhs-g4rj-y3du
9
vulnerability VCID-g8pq-2yub-kkc8
10
vulnerability VCID-gxn8-7hm9-g3b3
11
vulnerability VCID-kajb-u17y-7ufu
12
vulnerability VCID-nqhe-2h4b-wkc1
13
vulnerability VCID-nsp1-qqp9-g3g9
14
vulnerability VCID-pxjn-93a2-53fs
15
vulnerability VCID-s17m-ejen-bya7
16
vulnerability VCID-tys6-5sqz-dfhw
17
vulnerability VCID-vb35-2r2f-cqcf
18
vulnerability VCID-z2qu-kkwp-dfew
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.46.0
aliases CVE-2024-24570, GHSA-vqxq-hvxw-9mv9
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bdpx-mypp-auge
9
url VCID-c8nx-d391-63bw
vulnerability_id VCID-c8nx-d391-63bw
summary Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes. This has been fixed in 5.73.16 and 6.7.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33882
reference_id
reference_type
scores
0
value 0.00106
scoring_system epss
scoring_elements 0.2832
published_at 2026-06-12T12:55:00Z
1
value 0.00106
scoring_system epss
scoring_elements 0.28336
published_at 2026-06-14T12:55:00Z
2
value 0.00106
scoring_system epss
scoring_elements 0.28124
published_at 2026-06-11T12:55:00Z
3
value 0.00106
scoring_system epss
scoring_elements 0.28344
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33882
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33882
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33882
3
reference_url https://github.com/advisories/GHSA-cvh3-23vq-w7h4
reference_id GHSA-cvh3-23vq-w7h4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cvh3-23vq-w7h4
4
reference_url https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4
reference_id GHSA-cvh3-23vq-w7h4
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:42Z/
url https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4
fixed_packages
0
url pkg:composer/statamic/cms@5.73.16
purl pkg:composer/statamic/cms@5.73.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-g8pq-2yub-kkc8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16
1
url pkg:composer/statamic/cms@6.7.2
purl pkg:composer/statamic/cms@6.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-g8pq-2yub-kkc8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2
aliases CVE-2026-33882, GHSA-cvh3-23vq-w7h4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c8nx-d391-63bw
10
url VCID-crhs-g4rj-y3du
vulnerability_id VCID-crhs-g4rj-y3du
summary Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16 and 6.7.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33884
reference_id
reference_type
scores
0
value 0.0004
scoring_system epss
scoring_elements 0.12379
published_at 2026-06-12T12:55:00Z
1
value 0.0004
scoring_system epss
scoring_elements 0.12366
published_at 2026-06-14T12:55:00Z
2
value 0.0004
scoring_system epss
scoring_elements 0.12288
published_at 2026-06-11T12:55:00Z
3
value 0.0004
scoring_system epss
scoring_elements 0.12387
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33884
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33884
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33884
3
reference_url https://github.com/advisories/GHSA-8vwx-ccf6-5wg2
reference_id GHSA-8vwx-ccf6-5wg2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8vwx-ccf6-5wg2
4
reference_url https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2
reference_id GHSA-8vwx-ccf6-5wg2
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:37:18Z/
url https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2
fixed_packages
0
url pkg:composer/statamic/cms@5.73.16
purl pkg:composer/statamic/cms@5.73.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-g8pq-2yub-kkc8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16
1
url pkg:composer/statamic/cms@6.7.2
purl pkg:composer/statamic/cms@6.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-g8pq-2yub-kkc8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2
aliases CVE-2026-33884, GHSA-8vwx-ccf6-5wg2
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-crhs-g4rj-y3du
11
url VCID-g8pq-2yub-kkc8
vulnerability_id VCID-g8pq-2yub-kkc8
summary Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks. This vulnerability is fixed in 5.73.21 and 6.15.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44306
reference_id
reference_type
scores
0
value 0.00037
scoring_system epss
scoring_elements 0.11544
published_at 2026-06-11T12:55:00Z
1
value 0.00037
scoring_system epss
scoring_elements 0.11621
published_at 2026-06-12T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.1284
published_at 2026-06-14T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.12857
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44306
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44306
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-44306
3
reference_url https://github.com/advisories/GHSA-m24v-f7g5-gq67
reference_id GHSA-m24v-f7g5-gq67
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m24v-f7g5-gq67
4
reference_url https://github.com/statamic/cms/security/advisories/GHSA-m24v-f7g5-gq67
reference_id GHSA-m24v-f7g5-gq67
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T18:15:50Z/
url https://github.com/statamic/cms/security/advisories/GHSA-m24v-f7g5-gq67
fixed_packages
0
url pkg:composer/statamic/cms@5.73.21
purl pkg:composer/statamic/cms@5.73.21
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.21
1
url pkg:composer/statamic/cms@6.15.0
purl pkg:composer/statamic/cms@6.15.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.15.0
aliases CVE-2026-44306, GHSA-m24v-f7g5-gq67
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g8pq-2yub-kkc8
12
url VCID-gxn8-7hm9-g3b3
vulnerability_id VCID-gxn8-7hm9-g3b3
summary Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28426
reference_id
reference_type
scores
0
value 0.00013
scoring_system epss
scoring_elements 0.02141
published_at 2026-06-14T12:55:00Z
1
value 0.00013
scoring_system epss
scoring_elements 0.02136
published_at 2026-06-12T12:55:00Z
2
value 0.00013
scoring_system epss
scoring_elements 0.02132
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28426
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28426
reference_id CVE-2026-28426
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28426
3
reference_url https://github.com/advisories/GHSA-5vrj-wf7v-5wr7
reference_id GHSA-5vrj-wf7v-5wr7
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5vrj-wf7v-5wr7
4
reference_url https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7
reference_id GHSA-5vrj-wf7v-5wr7
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/
url https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7
5
reference_url https://github.com/statamic/cms/releases/tag/v5.73.11
reference_id v5.73.11
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/
url https://github.com/statamic/cms/releases/tag/v5.73.11
6
reference_url https://github.com/statamic/cms/releases/tag/v6.4.0
reference_id v6.4.0
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/
url https://github.com/statamic/cms/releases/tag/v6.4.0
fixed_packages
0
url pkg:composer/statamic/cms@5.73.11
purl pkg:composer/statamic/cms@5.73.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-3afh-kvfu-q3f6
2
vulnerability VCID-5vp8-dye1-wbd9
3
vulnerability VCID-62mz-fap3-7khn
4
vulnerability VCID-9chh-y51z-uqdy
5
vulnerability VCID-acat-8pec-yycn
6
vulnerability VCID-c8nx-d391-63bw
7
vulnerability VCID-crhs-g4rj-y3du
8
vulnerability VCID-g8pq-2yub-kkc8
9
vulnerability VCID-kajb-u17y-7ufu
10
vulnerability VCID-pxjn-93a2-53fs
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11
1
url pkg:composer/statamic/cms@6.4.0
purl pkg:composer/statamic/cms@6.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-3afh-kvfu-q3f6
2
vulnerability VCID-3zh8-e7tr-gye9
3
vulnerability VCID-5vp8-dye1-wbd9
4
vulnerability VCID-62mz-fap3-7khn
5
vulnerability VCID-9chh-y51z-uqdy
6
vulnerability VCID-acat-8pec-yycn
7
vulnerability VCID-c8nx-d391-63bw
8
vulnerability VCID-crhs-g4rj-y3du
9
vulnerability VCID-g8pq-2yub-kkc8
10
vulnerability VCID-kajb-u17y-7ufu
11
vulnerability VCID-pxjn-93a2-53fs
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0
aliases CVE-2026-28426, GHSA-5vrj-wf7v-5wr7
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gxn8-7hm9-g3b3
13
url VCID-kajb-u17y-7ufu
vulnerability_id VCID-kajb-u17y-7ufu
summary Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data. Users could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content. This has been fixed in 5.73.16 and 6.7.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33887
reference_id
reference_type
scores
0
value 0.00032
scoring_system epss
scoring_elements 0.09984
published_at 2026-06-14T12:55:00Z
1
value 0.00032
scoring_system epss
scoring_elements 0.09945
published_at 2026-06-11T12:55:00Z
2
value 0.00032
scoring_system epss
scoring_elements 0.09998
published_at 2026-06-13T12:55:00Z
3
value 0.00032
scoring_system epss
scoring_elements 0.09993
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33887
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33887
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33887
3
reference_url https://github.com/advisories/GHSA-4hp7-3wxg-cv9q
reference_id GHSA-4hp7-3wxg-cv9q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4hp7-3wxg-cv9q
4
reference_url https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q
reference_id GHSA-4hp7-3wxg-cv9q
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:54:14Z/
url https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q
fixed_packages
0
url pkg:composer/statamic/cms@5.73.16
purl pkg:composer/statamic/cms@5.73.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-g8pq-2yub-kkc8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.16
1
url pkg:composer/statamic/cms@6.7.2
purl pkg:composer/statamic/cms@6.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-g8pq-2yub-kkc8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2
aliases CVE-2026-33887, GHSA-4hp7-3wxg-cv9q
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kajb-u17y-7ufu
14
url VCID-n3wy-rvyw-m7dc
vulnerability_id VCID-n3wy-rvyw-m7dc
summary Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fields in the control panel. Malicious users could leverage this vulnerability to upload and execute code. This issue has been patched in versions 3.4.14 and 4.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-48217
reference_id
reference_type
scores
0
value 0.01048
scoring_system epss
scoring_elements 0.78014
published_at 2026-06-13T12:55:00Z
1
value 0.01048
scoring_system epss
scoring_elements 0.78008
published_at 2026-06-14T12:55:00Z
2
value 0.01048
scoring_system epss
scoring_elements 0.77933
published_at 2026-06-11T12:55:00Z
3
value 0.01048
scoring_system epss
scoring_elements 0.78001
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-48217
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/commit/da28afde818d605179fbb63b96eabafabad876b6
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/commit/da28afde818d605179fbb63b96eabafabad876b6
3
reference_url https://github.com/statamic/cms/pull/8991
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/pull/8991
4
reference_url https://github.com/statamic/cms/pull/8992
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/pull/8992
5
reference_url https://github.com/statamic/cms/releases/tag/v3.4.14
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/releases/tag/v3.4.14
6
reference_url https://github.com/statamic/cms/releases/tag/v4.34.0
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/releases/tag/v4.34.0
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-48217
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-48217
8
reference_url https://github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411
reference_id 4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-30T14:01:51Z/
url https://github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411
9
reference_url https://github.com/advisories/GHSA-2r53-9295-3m86
reference_id GHSA-2r53-9295-3m86
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2r53-9295-3m86
10
reference_url https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86
reference_id GHSA-2r53-9295-3m86
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-30T14:01:51Z/
url https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86
fixed_packages
0
url pkg:composer/statamic/cms@3.4.14
purl pkg:composer/statamic/cms@3.4.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fy7-n7hd-87b9
1
vulnerability VCID-2ueq-n7pd-1yav
2
vulnerability VCID-3afh-kvfu-q3f6
3
vulnerability VCID-5vp8-dye1-wbd9
4
vulnerability VCID-62mz-fap3-7khn
5
vulnerability VCID-94xa-dsvn-77ee
6
vulnerability VCID-9chh-y51z-uqdy
7
vulnerability VCID-acat-8pec-yycn
8
vulnerability VCID-bdpx-mypp-auge
9
vulnerability VCID-c8nx-d391-63bw
10
vulnerability VCID-crhs-g4rj-y3du
11
vulnerability VCID-g8pq-2yub-kkc8
12
vulnerability VCID-gxn8-7hm9-g3b3
13
vulnerability VCID-kajb-u17y-7ufu
14
vulnerability VCID-nqhe-2h4b-wkc1
15
vulnerability VCID-nsp1-qqp9-g3g9
16
vulnerability VCID-pxjn-93a2-53fs
17
vulnerability VCID-s17m-ejen-bya7
18
vulnerability VCID-tys6-5sqz-dfhw
19
vulnerability VCID-vb35-2r2f-cqcf
20
vulnerability VCID-z2qu-kkwp-dfew
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.14
1
url pkg:composer/statamic/cms@4.0.0-alpha.1
purl pkg:composer/statamic/cms@4.0.0-alpha.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fy7-n7hd-87b9
1
vulnerability VCID-2ueq-n7pd-1yav
2
vulnerability VCID-3afh-kvfu-q3f6
3
vulnerability VCID-5vp8-dye1-wbd9
4
vulnerability VCID-62mz-fap3-7khn
5
vulnerability VCID-9chh-y51z-uqdy
6
vulnerability VCID-acat-8pec-yycn
7
vulnerability VCID-c8nx-d391-63bw
8
vulnerability VCID-crhs-g4rj-y3du
9
vulnerability VCID-etr9-3n87-d3ch
10
vulnerability VCID-g8pq-2yub-kkc8
11
vulnerability VCID-gxn8-7hm9-g3b3
12
vulnerability VCID-kajb-u17y-7ufu
13
vulnerability VCID-nqhe-2h4b-wkc1
14
vulnerability VCID-nsp1-qqp9-g3g9
15
vulnerability VCID-pxjn-93a2-53fs
16
vulnerability VCID-s17m-ejen-bya7
17
vulnerability VCID-tys6-5sqz-dfhw
18
vulnerability VCID-vb35-2r2f-cqcf
19
vulnerability VCID-z2qu-kkwp-dfew
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.0.0-alpha.1
2
url pkg:composer/statamic/cms@4.34.0
purl pkg:composer/statamic/cms@4.34.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fy7-n7hd-87b9
1
vulnerability VCID-2ueq-n7pd-1yav
2
vulnerability VCID-3afh-kvfu-q3f6
3
vulnerability VCID-5vp8-dye1-wbd9
4
vulnerability VCID-62mz-fap3-7khn
5
vulnerability VCID-94xa-dsvn-77ee
6
vulnerability VCID-9chh-y51z-uqdy
7
vulnerability VCID-acat-8pec-yycn
8
vulnerability VCID-bdpx-mypp-auge
9
vulnerability VCID-c8nx-d391-63bw
10
vulnerability VCID-crhs-g4rj-y3du
11
vulnerability VCID-g8pq-2yub-kkc8
12
vulnerability VCID-gxn8-7hm9-g3b3
13
vulnerability VCID-kajb-u17y-7ufu
14
vulnerability VCID-nqhe-2h4b-wkc1
15
vulnerability VCID-nsp1-qqp9-g3g9
16
vulnerability VCID-pxjn-93a2-53fs
17
vulnerability VCID-s17m-ejen-bya7
18
vulnerability VCID-tys6-5sqz-dfhw
19
vulnerability VCID-vb35-2r2f-cqcf
20
vulnerability VCID-z2qu-kkwp-dfew
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.34.0
aliases CVE-2023-48217, GHSA-2r53-9295-3m86
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n3wy-rvyw-m7dc
15
url VCID-nqhe-2h4b-wkc1
vulnerability_id VCID-nqhe-2h4b-wkc1
summary Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28423
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.07382
published_at 2026-06-14T12:55:00Z
1
value 0.00025
scoring_system epss
scoring_elements 0.0739
published_at 2026-06-13T12:55:00Z
2
value 0.00025
scoring_system epss
scoring_elements 0.07399
published_at 2026-06-12T12:55:00Z
3
value 0.00025
scoring_system epss
scoring_elements 0.07359
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28423
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28423
reference_id CVE-2026-28423
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28423
3
reference_url https://github.com/advisories/GHSA-cwpp-325q-2cvp
reference_id GHSA-cwpp-325q-2cvp
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cwpp-325q-2cvp
4
reference_url https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp
reference_id GHSA-cwpp-325q-2cvp
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/
url https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp
5
reference_url https://github.com/statamic/cms/releases/tag/v5.73.11
reference_id v5.73.11
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/
url https://github.com/statamic/cms/releases/tag/v5.73.11
6
reference_url https://github.com/statamic/cms/releases/tag/v6.4.0
reference_id v6.4.0
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/
url https://github.com/statamic/cms/releases/tag/v6.4.0
fixed_packages
0
url pkg:composer/statamic/cms@5.73.11
purl pkg:composer/statamic/cms@5.73.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-3afh-kvfu-q3f6
2
vulnerability VCID-5vp8-dye1-wbd9
3
vulnerability VCID-62mz-fap3-7khn
4
vulnerability VCID-9chh-y51z-uqdy
5
vulnerability VCID-acat-8pec-yycn
6
vulnerability VCID-c8nx-d391-63bw
7
vulnerability VCID-crhs-g4rj-y3du
8
vulnerability VCID-g8pq-2yub-kkc8
9
vulnerability VCID-kajb-u17y-7ufu
10
vulnerability VCID-pxjn-93a2-53fs
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11
1
url pkg:composer/statamic/cms@6.4.0
purl pkg:composer/statamic/cms@6.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-3afh-kvfu-q3f6
2
vulnerability VCID-3zh8-e7tr-gye9
3
vulnerability VCID-5vp8-dye1-wbd9
4
vulnerability VCID-62mz-fap3-7khn
5
vulnerability VCID-9chh-y51z-uqdy
6
vulnerability VCID-acat-8pec-yycn
7
vulnerability VCID-c8nx-d391-63bw
8
vulnerability VCID-crhs-g4rj-y3du
9
vulnerability VCID-g8pq-2yub-kkc8
10
vulnerability VCID-kajb-u17y-7ufu
11
vulnerability VCID-pxjn-93a2-53fs
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0
aliases CVE-2026-28423, GHSA-cwpp-325q-2cvp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nqhe-2h4b-wkc1
16
url VCID-nsp1-qqp9-g3g9
vulnerability_id VCID-nsp1-qqp9-g3g9
summary Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset. This has been fixed in 6.3.3 and 5.73.10.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27593
reference_id
reference_type
scores
0
value 0.00017
scoring_system epss
scoring_elements 0.04345
published_at 2026-06-14T12:55:00Z
1
value 0.00017
scoring_system epss
scoring_elements 0.04353
published_at 2026-06-11T12:55:00Z
2
value 0.00017
scoring_system epss
scoring_elements 0.04358
published_at 2026-06-12T12:55:00Z
3
value 0.00017
scoring_system epss
scoring_elements 0.04346
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27593
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e
reference_id 6fdd03324982848e8754f2edd2265262d361714e
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/
url https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e
3
reference_url https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be
reference_id 78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/
url https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be
4
reference_url https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0
reference_id b2be592ddfb588bcb88c9be454f3590e14b145b0
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/
url https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27593
reference_id CVE-2026-27593
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27593
6
reference_url https://github.com/advisories/GHSA-jxq9-79vj-rgvw
reference_id GHSA-jxq9-79vj-rgvw
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jxq9-79vj-rgvw
7
reference_url https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw
reference_id GHSA-jxq9-79vj-rgvw
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/
url https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw
8
reference_url https://github.com/statamic/cms/releases/tag/v5.73.10
reference_id v5.73.10
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/
url https://github.com/statamic/cms/releases/tag/v5.73.10
9
reference_url https://github.com/statamic/cms/releases/tag/v6.3.3
reference_id v6.3.3
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/
url https://github.com/statamic/cms/releases/tag/v6.3.3
fixed_packages
0
url pkg:composer/statamic/cms@5.73.10
purl pkg:composer/statamic/cms@5.73.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-3afh-kvfu-q3f6
2
vulnerability VCID-5vp8-dye1-wbd9
3
vulnerability VCID-62mz-fap3-7khn
4
vulnerability VCID-9chh-y51z-uqdy
5
vulnerability VCID-acat-8pec-yycn
6
vulnerability VCID-c8nx-d391-63bw
7
vulnerability VCID-crhs-g4rj-y3du
8
vulnerability VCID-g8pq-2yub-kkc8
9
vulnerability VCID-gxn8-7hm9-g3b3
10
vulnerability VCID-kajb-u17y-7ufu
11
vulnerability VCID-nqhe-2h4b-wkc1
12
vulnerability VCID-pxjn-93a2-53fs
13
vulnerability VCID-tys6-5sqz-dfhw
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.10
1
url pkg:composer/statamic/cms@6.7.1
purl pkg:composer/statamic/cms@6.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-53nt-msa9-p7b2
2
vulnerability VCID-9chh-y51z-uqdy
3
vulnerability VCID-acat-8pec-yycn
4
vulnerability VCID-c8nx-d391-63bw
5
vulnerability VCID-crhs-g4rj-y3du
6
vulnerability VCID-g8pq-2yub-kkc8
7
vulnerability VCID-kajb-u17y-7ufu
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.1
aliases CVE-2026-27593, GHSA-jxq9-79vj-rgvw
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nsp1-qqp9-g3g9
17
url VCID-pxjn-93a2-53fs
vulnerability_id VCID-pxjn-93a2-53fs
summary Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. This has been fixed in 5.73.14 and 6.7.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33177
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02568
published_at 2026-06-13T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02576
published_at 2026-06-11T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02578
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33177
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33177
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33177
3
reference_url https://github.com/advisories/GHSA-wh3h-gvc4-cc2g
reference_id GHSA-wh3h-gvc4-cc2g
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wh3h-gvc4-cc2g
4
reference_url https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g
reference_id GHSA-wh3h-gvc4-cc2g
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:49:16Z/
url https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g
fixed_packages
0
url pkg:composer/statamic/cms@5.73.14
purl pkg:composer/statamic/cms@5.73.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-53nt-msa9-p7b2
2
vulnerability VCID-9chh-y51z-uqdy
3
vulnerability VCID-acat-8pec-yycn
4
vulnerability VCID-c8nx-d391-63bw
5
vulnerability VCID-crhs-g4rj-y3du
6
vulnerability VCID-g8pq-2yub-kkc8
7
vulnerability VCID-kajb-u17y-7ufu
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.14
1
url pkg:composer/statamic/cms@6.7.0
purl pkg:composer/statamic/cms@6.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-53nt-msa9-p7b2
2
vulnerability VCID-9chh-y51z-uqdy
3
vulnerability VCID-acat-8pec-yycn
4
vulnerability VCID-c8nx-d391-63bw
5
vulnerability VCID-crhs-g4rj-y3du
6
vulnerability VCID-g8pq-2yub-kkc8
7
vulnerability VCID-kajb-u17y-7ufu
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0
aliases CVE-2026-33177, GHSA-wh3h-gvc4-cc2g
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pxjn-93a2-53fs
18
url VCID-rnrk-n64t-ybhw
vulnerability_id VCID-rnrk-n64t-ybhw
summary Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-47129
reference_id
reference_type
scores
0
value 0.05963
scoring_system epss
scoring_elements 0.90861
published_at 2026-06-11T12:55:00Z
1
value 0.05963
scoring_system epss
scoring_elements 0.90898
published_at 2026-06-14T12:55:00Z
2
value 0.05963
scoring_system epss
scoring_elements 0.9089
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-47129
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-47129
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-47129
3
reference_url https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75
reference_id 098ef8024d97286ca501273c18ae75b646262d75
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/
url https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75
4
reference_url https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77
reference_id f6c688154f6bdbd0b67039f8f11dcd98ba061e77
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/
url https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77
5
reference_url https://github.com/advisories/GHSA-72hg-5wr5-rmfc
reference_id GHSA-72hg-5wr5-rmfc
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-72hg-5wr5-rmfc
6
reference_url https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc
reference_id GHSA-72hg-5wr5-rmfc
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T17:21:20Z/
url https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc
fixed_packages
0
url pkg:composer/statamic/cms@3.4.13
purl pkg:composer/statamic/cms@3.4.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fy7-n7hd-87b9
1
vulnerability VCID-2ueq-n7pd-1yav
2
vulnerability VCID-3afh-kvfu-q3f6
3
vulnerability VCID-5vp8-dye1-wbd9
4
vulnerability VCID-62mz-fap3-7khn
5
vulnerability VCID-94xa-dsvn-77ee
6
vulnerability VCID-9chh-y51z-uqdy
7
vulnerability VCID-acat-8pec-yycn
8
vulnerability VCID-bdpx-mypp-auge
9
vulnerability VCID-c8nx-d391-63bw
10
vulnerability VCID-crhs-g4rj-y3du
11
vulnerability VCID-g8pq-2yub-kkc8
12
vulnerability VCID-gxn8-7hm9-g3b3
13
vulnerability VCID-kajb-u17y-7ufu
14
vulnerability VCID-n3wy-rvyw-m7dc
15
vulnerability VCID-nqhe-2h4b-wkc1
16
vulnerability VCID-nsp1-qqp9-g3g9
17
vulnerability VCID-pxjn-93a2-53fs
18
vulnerability VCID-s17m-ejen-bya7
19
vulnerability VCID-tys6-5sqz-dfhw
20
vulnerability VCID-vb35-2r2f-cqcf
21
vulnerability VCID-z2qu-kkwp-dfew
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.13
1
url pkg:composer/statamic/cms@4.33.0
purl pkg:composer/statamic/cms@4.33.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fy7-n7hd-87b9
1
vulnerability VCID-2ueq-n7pd-1yav
2
vulnerability VCID-3afh-kvfu-q3f6
3
vulnerability VCID-5vp8-dye1-wbd9
4
vulnerability VCID-62mz-fap3-7khn
5
vulnerability VCID-94xa-dsvn-77ee
6
vulnerability VCID-9chh-y51z-uqdy
7
vulnerability VCID-acat-8pec-yycn
8
vulnerability VCID-bdpx-mypp-auge
9
vulnerability VCID-c8nx-d391-63bw
10
vulnerability VCID-crhs-g4rj-y3du
11
vulnerability VCID-g8pq-2yub-kkc8
12
vulnerability VCID-gxn8-7hm9-g3b3
13
vulnerability VCID-kajb-u17y-7ufu
14
vulnerability VCID-n3wy-rvyw-m7dc
15
vulnerability VCID-nqhe-2h4b-wkc1
16
vulnerability VCID-nsp1-qqp9-g3g9
17
vulnerability VCID-pxjn-93a2-53fs
18
vulnerability VCID-s17m-ejen-bya7
19
vulnerability VCID-tys6-5sqz-dfhw
20
vulnerability VCID-vb35-2r2f-cqcf
21
vulnerability VCID-z2qu-kkwp-dfew
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@4.33.0
aliases CVE-2023-47129, GHSA-72hg-5wr5-rmfc
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rnrk-n64t-ybhw
19
url VCID-s17m-ejen-bya7
vulnerability_id VCID-s17m-ejen-bya7
summary Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This issue has been fixed in 6.3.2 and 5.73.9.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27196
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02638
published_at 2026-06-14T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02628
published_at 2026-06-13T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02637
published_at 2026-06-12T12:55:00Z
3
value 0.00014
scoring_system epss
scoring_elements 0.02632
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27196
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b
reference_id 11ae40e62edd3da044d37ebf264757a09cc2347b
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/
url https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b
3
reference_url https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3
reference_id 6c270dacc2be02bfc2eee500766f3309f59d47b3
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/
url https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27196
reference_id CVE-2026-27196
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27196
5
reference_url https://github.com/advisories/GHSA-8r7r-f4gm-wcpq
reference_id GHSA-8r7r-f4gm-wcpq
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8r7r-f4gm-wcpq
6
reference_url https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq
reference_id GHSA-8r7r-f4gm-wcpq
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/
url https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq
fixed_packages
0
url pkg:composer/statamic/cms@5.73.9
purl pkg:composer/statamic/cms@5.73.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-3afh-kvfu-q3f6
2
vulnerability VCID-5vp8-dye1-wbd9
3
vulnerability VCID-62mz-fap3-7khn
4
vulnerability VCID-9chh-y51z-uqdy
5
vulnerability VCID-acat-8pec-yycn
6
vulnerability VCID-c8nx-d391-63bw
7
vulnerability VCID-crhs-g4rj-y3du
8
vulnerability VCID-g8pq-2yub-kkc8
9
vulnerability VCID-gxn8-7hm9-g3b3
10
vulnerability VCID-kajb-u17y-7ufu
11
vulnerability VCID-nqhe-2h4b-wkc1
12
vulnerability VCID-nsp1-qqp9-g3g9
13
vulnerability VCID-pxjn-93a2-53fs
14
vulnerability VCID-tys6-5sqz-dfhw
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.9
1
url pkg:composer/statamic/cms@6.3.2
purl pkg:composer/statamic/cms@6.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-3afh-kvfu-q3f6
2
vulnerability VCID-3zh8-e7tr-gye9
3
vulnerability VCID-5vp8-dye1-wbd9
4
vulnerability VCID-62mz-fap3-7khn
5
vulnerability VCID-9chh-y51z-uqdy
6
vulnerability VCID-acat-8pec-yycn
7
vulnerability VCID-c8nx-d391-63bw
8
vulnerability VCID-crhs-g4rj-y3du
9
vulnerability VCID-g8pq-2yub-kkc8
10
vulnerability VCID-gxn8-7hm9-g3b3
11
vulnerability VCID-kajb-u17y-7ufu
12
vulnerability VCID-nqhe-2h4b-wkc1
13
vulnerability VCID-nsp1-qqp9-g3g9
14
vulnerability VCID-pxjn-93a2-53fs
15
vulnerability VCID-tys6-5sqz-dfhw
16
vulnerability VCID-w7sz-egcg-e7g5
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.3.2
aliases CVE-2026-27196, GHSA-8r7r-f4gm-wcpq
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s17m-ejen-bya7
20
url VCID-tys6-5sqz-dfhw
vulnerability_id VCID-tys6-5sqz-dfhw
summary Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 and 6.4.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28424
reference_id
reference_type
scores
0
value 0.00042
scoring_system epss
scoring_elements 0.13277
published_at 2026-06-14T12:55:00Z
1
value 0.00042
scoring_system epss
scoring_elements 0.13302
published_at 2026-06-13T12:55:00Z
2
value 0.00042
scoring_system epss
scoring_elements 0.13294
published_at 2026-06-12T12:55:00Z
3
value 0.00042
scoring_system epss
scoring_elements 0.13194
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28424
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28424
reference_id CVE-2026-28424
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28424
3
reference_url https://github.com/advisories/GHSA-w878-f8c6-7r63
reference_id GHSA-w878-f8c6-7r63
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w878-f8c6-7r63
4
reference_url https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63
reference_id GHSA-w878-f8c6-7r63
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/
url https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63
5
reference_url https://github.com/statamic/cms/releases/tag/v5.73.11
reference_id v5.73.11
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/
url https://github.com/statamic/cms/releases/tag/v5.73.11
6
reference_url https://github.com/statamic/cms/releases/tag/v6.4.0
reference_id v6.4.0
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/
url https://github.com/statamic/cms/releases/tag/v6.4.0
fixed_packages
0
url pkg:composer/statamic/cms@5.73.11
purl pkg:composer/statamic/cms@5.73.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-3afh-kvfu-q3f6
2
vulnerability VCID-5vp8-dye1-wbd9
3
vulnerability VCID-62mz-fap3-7khn
4
vulnerability VCID-9chh-y51z-uqdy
5
vulnerability VCID-acat-8pec-yycn
6
vulnerability VCID-c8nx-d391-63bw
7
vulnerability VCID-crhs-g4rj-y3du
8
vulnerability VCID-g8pq-2yub-kkc8
9
vulnerability VCID-kajb-u17y-7ufu
10
vulnerability VCID-pxjn-93a2-53fs
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.73.11
1
url pkg:composer/statamic/cms@6.4.0
purl pkg:composer/statamic/cms@6.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ueq-n7pd-1yav
1
vulnerability VCID-3afh-kvfu-q3f6
2
vulnerability VCID-3zh8-e7tr-gye9
3
vulnerability VCID-5vp8-dye1-wbd9
4
vulnerability VCID-62mz-fap3-7khn
5
vulnerability VCID-9chh-y51z-uqdy
6
vulnerability VCID-acat-8pec-yycn
7
vulnerability VCID-c8nx-d391-63bw
8
vulnerability VCID-crhs-g4rj-y3du
9
vulnerability VCID-g8pq-2yub-kkc8
10
vulnerability VCID-kajb-u17y-7ufu
11
vulnerability VCID-pxjn-93a2-53fs
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0
aliases CVE-2026-28424, GHSA-w878-f8c6-7r63
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tys6-5sqz-dfhw
21
url VCID-vb35-2r2f-cqcf
vulnerability_id VCID-vb35-2r2f-cqcf
summary Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fixed in 5.22.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-64112
reference_id
reference_type
scores
0
value 0.00036
scoring_system epss
scoring_elements 0.11018
published_at 2026-06-14T12:55:00Z
1
value 0.00036
scoring_system epss
scoring_elements 0.10988
published_at 2026-06-11T12:55:00Z
2
value 0.00036
scoring_system epss
scoring_elements 0.11051
published_at 2026-06-12T12:55:00Z
3
value 0.00036
scoring_system epss
scoring_elements 0.11049
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-64112
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://github.com/statamic/cms/releases/tag/v5.22.1
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms/releases/tag/v5.22.1
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-64112
reference_id CVE-2025-64112
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-64112
4
reference_url https://github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1
reference_id e513751f433679ce698606e20c554a0c839987c1
reference_type
scores
0
value 8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-30T17:57:49Z/
url https://github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1
5
reference_url https://github.com/advisories/GHSA-g59r-24g3-h7cm
reference_id GHSA-g59r-24g3-h7cm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g59r-24g3-h7cm
6
reference_url https://github.com/statamic/cms/security/advisories/GHSA-g59r-24g3-h7cm
reference_id GHSA-g59r-24g3-h7cm
reference_type
scores
0
value 8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-30T17:57:49Z/
url https://github.com/statamic/cms/security/advisories/GHSA-g59r-24g3-h7cm
fixed_packages
0
url pkg:composer/statamic/cms@5.22.1
purl pkg:composer/statamic/cms@5.22.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fy7-n7hd-87b9
1
vulnerability VCID-2ueq-n7pd-1yav
2
vulnerability VCID-3afh-kvfu-q3f6
3
vulnerability VCID-5vp8-dye1-wbd9
4
vulnerability VCID-62mz-fap3-7khn
5
vulnerability VCID-9chh-y51z-uqdy
6
vulnerability VCID-acat-8pec-yycn
7
vulnerability VCID-c8nx-d391-63bw
8
vulnerability VCID-crhs-g4rj-y3du
9
vulnerability VCID-g8pq-2yub-kkc8
10
vulnerability VCID-gxn8-7hm9-g3b3
11
vulnerability VCID-kajb-u17y-7ufu
12
vulnerability VCID-nqhe-2h4b-wkc1
13
vulnerability VCID-nsp1-qqp9-g3g9
14
vulnerability VCID-pxjn-93a2-53fs
15
vulnerability VCID-s17m-ejen-bya7
16
vulnerability VCID-tys6-5sqz-dfhw
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.22.1
aliases CVE-2025-64112, GHSA-g59r-24g3-h7cm
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vb35-2r2f-cqcf
22
url VCID-z2qu-kkwp-dfew
vulnerability_id VCID-z2qu-kkwp-dfew
summary Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. The issue affects front-end forms with `assets` fields and other places where assets can be uploaded, although users would need upload permissions anyway. Files can be uploaded so they would be located on the server in a different location, and potentially override existing files. Traversal outside an asset container is not possible. This path traversal vulnerability has been fixed in 5.17.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-52600
reference_id
reference_type
scores
0
value 0.00386
scoring_system epss
scoring_elements 0.60225
published_at 2026-06-11T12:55:00Z
1
value 0.00386
scoring_system epss
scoring_elements 0.60336
published_at 2026-06-14T12:55:00Z
2
value 0.00386
scoring_system epss
scoring_elements 0.60331
published_at 2026-06-12T12:55:00Z
3
value 0.00386
scoring_system epss
scoring_elements 0.60343
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-52600
1
reference_url https://github.com/statamic/cms
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/statamic/cms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-52600
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-52600
3
reference_url https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d
reference_id 0c07c10009a2439c8ee56c8faefd1319dc6e388d
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/
url https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d
4
reference_url https://github.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346da
reference_id 400875b20f40e1343699d536a432a6fc284346da
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/
url https://github.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346da
5
reference_url https://github.com/statamic/cms/commit/4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d
reference_id 4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/
url https://github.com/statamic/cms/commit/4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d
6
reference_url https://github.com/advisories/GHSA-p7f6-8mcm-fwv3
reference_id GHSA-p7f6-8mcm-fwv3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p7f6-8mcm-fwv3
7
reference_url https://github.com/statamic/cms/security/advisories/GHSA-p7f6-8mcm-fwv3
reference_id GHSA-p7f6-8mcm-fwv3
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-20T16:41:07Z/
url https://github.com/statamic/cms/security/advisories/GHSA-p7f6-8mcm-fwv3
fixed_packages
0
url pkg:composer/statamic/cms@5.17.0
purl pkg:composer/statamic/cms@5.17.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1fy7-n7hd-87b9
1
vulnerability VCID-2ueq-n7pd-1yav
2
vulnerability VCID-3afh-kvfu-q3f6
3
vulnerability VCID-5vp8-dye1-wbd9
4
vulnerability VCID-62mz-fap3-7khn
5
vulnerability VCID-9chh-y51z-uqdy
6
vulnerability VCID-acat-8pec-yycn
7
vulnerability VCID-c8nx-d391-63bw
8
vulnerability VCID-crhs-g4rj-y3du
9
vulnerability VCID-g8pq-2yub-kkc8
10
vulnerability VCID-gxn8-7hm9-g3b3
11
vulnerability VCID-kajb-u17y-7ufu
12
vulnerability VCID-nqhe-2h4b-wkc1
13
vulnerability VCID-nsp1-qqp9-g3g9
14
vulnerability VCID-pxjn-93a2-53fs
15
vulnerability VCID-s17m-ejen-bya7
16
vulnerability VCID-tys6-5sqz-dfhw
17
vulnerability VCID-vb35-2r2f-cqcf
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@5.17.0
aliases CVE-2024-52600, GHSA-p7f6-8mcm-fwv3
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z2qu-kkwp-dfew
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@3.4.12