{"url":"http://public2.vulnerablecode.io/api/packages/942674?format=json","purl":"pkg:composer/statamic/cms@6.1.0","type":"composer","namespace":"statamic","name":"cms","version":"6.1.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.15.0","latest_non_vulnerable_version":"6.18.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66092?format=json","vulnerability_id":"VCID-1fy7-n7hd-87b9","summary":"Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25633","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02454","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02452","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03135","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03148","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25633"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/pull/13883","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/pull/13883"},{"reference_url":"https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a","reference_id":"5a6f47246edf3a0c453727ffecbfa14333a6bc8a","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/"}],"url":"https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25633","reference_id":"CVE-2026-25633","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25633"},{"reference_url":"https://github.com/advisories/GHSA-gwmx-9gcj-332h","reference_id":"GHSA-gwmx-9gcj-332h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gwmx-9gcj-332h"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h","reference_id":"GHSA-gwmx-9gcj-332h","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.6","reference_id":"v5.73.6","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.6"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.2.5","reference_id":"v6.2.5","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:19:30Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v6.2.5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39088?format=json","purl":"pkg:composer/statamic/cms@6.2.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueq-n7pd-1yav"},{"vulnerability":"VCID-3afh-kvfu-q3f6"},{"vulnerability":"VCID-3zh8-e7tr-gye9"},{"vulnerability":"VCID-5vp8-dye1-wbd9"},{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-9chh-y51z-uqdy"},{"vulnerability":"VCID-acat-8pec-yycn"},{"vulnerability":"VCID-c8nx-d391-63bw"},{"vulnerability":"VCID-crhs-g4rj-y3du"},{"vulnerability":"VCID-g8pq-2yub-kkc8"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-kajb-u17y-7ufu"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-nsp1-qqp9-g3g9"},{"vulnerability":"VCID-pxjn-93a2-53fs"},{"vulnerability":"VCID-s17m-ejen-bya7"},{"vulnerability":"VCID-tys6-5sqz-dfhw"},{"vulnerability":"VCID-w7sz-egcg-e7g5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.2.5"}],"aliases":["CVE-2026-25633","GHSA-gwmx-9gcj-332h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1fy7-n7hd-87b9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81013?format=json","vulnerability_id":"VCID-2ueq-n7pd-1yav","summary":"Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel requires authentication with minimal permissions in order to exploit. e.g. \"view entries\" permission to delete entries, or \"view users\" permission to delete users, etc. The REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too. Sites that enable the REST or GraphQL API without authentication should treat patching as critical priority. This has been fixed in 5.73.20 and 6.13.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41175","reference_id":"","reference_type":"","scores":[{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.283","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28087","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28308","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28284","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41175"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41175","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41175"},{"reference_url":"https://github.com/advisories/GHSA-4jjr-vmv7-wh4w","reference_id":"GHSA-4jjr-vmv7-wh4w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4jjr-vmv7-wh4w"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w","reference_id":"GHSA-4jjr-vmv7-wh4w","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T13:56:00Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373463?format=json","purl":"pkg:composer/statamic/cms@6.13.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g8pq-2yub-kkc8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.13.0"}],"aliases":["CVE-2026-41175","GHSA-4jjr-vmv7-wh4w"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2ueq-n7pd-1yav"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77641?format=json","vulnerability_id":"VCID-3afh-kvfu-q3f6","summary":"Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33172","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02517","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02524","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02527","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33172"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33172","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33172"},{"reference_url":"https://github.com/advisories/GHSA-7rcv-55mj-chg7","reference_id":"GHSA-7rcv-55mj-chg7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7rcv-55mj-chg7"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7","reference_id":"GHSA-7rcv-55mj-chg7","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:46:09Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374642?format=json","purl":"pkg:composer/statamic/cms@6.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueq-n7pd-1yav"},{"vulnerability":"VCID-53nt-msa9-p7b2"},{"vulnerability":"VCID-9chh-y51z-uqdy"},{"vulnerability":"VCID-acat-8pec-yycn"},{"vulnerability":"VCID-c8nx-d391-63bw"},{"vulnerability":"VCID-crhs-g4rj-y3du"},{"vulnerability":"VCID-g8pq-2yub-kkc8"},{"vulnerability":"VCID-kajb-u17y-7ufu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0"}],"aliases":["CVE-2026-33172","GHSA-7rcv-55mj-chg7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3afh-kvfu-q3f6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77442?format=json","vulnerability_id":"VCID-3zh8-e7tr-gye9","summary":"Statamic is a Laravel and Git powered content management system (CMS). Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. This has been fixed in 6.6.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32612","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03678","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03685","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03661","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.0367","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32612"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32612","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32612"},{"reference_url":"https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-32612","reference_id":"CVE-2026-32612","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T14:48:16Z/"}],"url":"https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-32612"},{"reference_url":"https://github.com/advisories/GHSA-hcch-w73c-jp4m","reference_id":"GHSA-hcch-w73c-jp4m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hcch-w73c-jp4m"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-hcch-w73c-jp4m","reference_id":"GHSA-hcch-w73c-jp4m","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T14:48:16Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-hcch-w73c-jp4m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375066?format=json","purl":"pkg:composer/statamic/cms@6.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueq-n7pd-1yav"},{"vulnerability":"VCID-3afh-kvfu-q3f6"},{"vulnerability":"VCID-53nt-msa9-p7b2"},{"vulnerability":"VCID-5vp8-dye1-wbd9"},{"vulnerability":"VCID-9chh-y51z-uqdy"},{"vulnerability":"VCID-acat-8pec-yycn"},{"vulnerability":"VCID-c8nx-d391-63bw"},{"vulnerability":"VCID-crhs-g4rj-y3du"},{"vulnerability":"VCID-g8pq-2yub-kkc8"},{"vulnerability":"VCID-kajb-u17y-7ufu"},{"vulnerability":"VCID-pxjn-93a2-53fs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.6.2"}],"aliases":["CVE-2026-32612","GHSA-hcch-w73c-jp4m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3zh8-e7tr-gye9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78305?format=json","vulnerability_id":"VCID-5vp8-dye1-wbd9","summary":"Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration parameter in the fieldtype's endpoint. This has been fixed in 5.73.14 and 6.7.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33171","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06461","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06429","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06442","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.0645","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33171"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33171","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33171"},{"reference_url":"https://github.com/advisories/GHSA-qm7r-wwq7-6f85","reference_id":"GHSA-qm7r-wwq7-6f85","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qm7r-wwq7-6f85"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85","reference_id":"GHSA-qm7r-wwq7-6f85","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T20:52:53Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374642?format=json","purl":"pkg:composer/statamic/cms@6.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueq-n7pd-1yav"},{"vulnerability":"VCID-53nt-msa9-p7b2"},{"vulnerability":"VCID-9chh-y51z-uqdy"},{"vulnerability":"VCID-acat-8pec-yycn"},{"vulnerability":"VCID-c8nx-d391-63bw"},{"vulnerability":"VCID-crhs-g4rj-y3du"},{"vulnerability":"VCID-g8pq-2yub-kkc8"},{"vulnerability":"VCID-kajb-u17y-7ufu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0"}],"aliases":["CVE-2026-33171","GHSA-qm7r-wwq7-6f85"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5vp8-dye1-wbd9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69609?format=json","vulnerability_id":"VCID-62mz-fap3-7khn","summary":"Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.16 and 6.7.2. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28425","reference_id":"","reference_type":"","scores":[{"value":"0.00188","scoring_system":"epss","scoring_elements":"0.40734","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00188","scoring_system":"epss","scoring_elements":"0.4072","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00188","scoring_system":"epss","scoring_elements":"0.4071","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00188","scoring_system":"epss","scoring_elements":"0.40543","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28425"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.16","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.16"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.7.2","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms/releases/tag/v6.7.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28425","reference_id":"CVE-2026-28425","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28425"},{"reference_url":"https://github.com/advisories/GHSA-cpv7-q2wx-m8rw","reference_id":"GHSA-cpv7-q2wx-m8rw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cpv7-q2wx-m8rw"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw","reference_id":"GHSA-cpv7-q2wx-m8rw","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:36:43Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.11","reference_id":"v5.73.11","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:36:43Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.11"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.4.0","reference_id":"v6.4.0","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:36:43Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v6.4.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40016?format=json","purl":"pkg:composer/statamic/cms@6.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueq-n7pd-1yav"},{"vulnerability":"VCID-g8pq-2yub-kkc8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2"}],"aliases":["CVE-2026-28425","GHSA-cpv7-q2wx-m8rw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-62mz-fap3-7khn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77837?format=json","vulnerability_id":"VCID-9chh-y51z-uqdy","summary":"Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the `user:reset_password_form` tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser. This has been fixed in 5.73.16 and 6.7.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33883","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12907","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12899","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12811","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12918","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33883"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33883","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33883"},{"reference_url":"https://github.com/advisories/GHSA-3jg4-p23x-p4qx","reference_id":"GHSA-3jg4-p23x-p4qx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3jg4-p23x-p4qx"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-3jg4-p23x-p4qx","reference_id":"GHSA-3jg4-p23x-p4qx","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:56:43Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-3jg4-p23x-p4qx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40016?format=json","purl":"pkg:composer/statamic/cms@6.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueq-n7pd-1yav"},{"vulnerability":"VCID-g8pq-2yub-kkc8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2"}],"aliases":["CVE-2026-33883","GHSA-3jg4-p23x-p4qx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9chh-y51z-uqdy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77737?format=json","vulnerability_id":"VCID-acat-8pec-yycn","summary":"Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. This has been fixed in 5.73.16 and 6.7.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33885","reference_id":"","reference_type":"","scores":[{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16768","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16632","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16794","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16781","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33885"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33885","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33885"},{"reference_url":"https://github.com/advisories/GHSA-7f74-7q5w-hj4r","reference_id":"GHSA-7f74-7q5w-hj4r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7f74-7q5w-hj4r"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r","reference_id":"GHSA-7f74-7q5w-hj4r","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:59:41Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40016?format=json","purl":"pkg:composer/statamic/cms@6.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueq-n7pd-1yav"},{"vulnerability":"VCID-g8pq-2yub-kkc8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2"}],"aliases":["CVE-2026-33885","GHSA-7f74-7q5w-hj4r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-acat-8pec-yycn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77640?format=json","vulnerability_id":"VCID-c8nx-d391-63bw","summary":"Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes. This has been fixed in 5.73.16 and 6.7.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33882","reference_id":"","reference_type":"","scores":[{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.2832","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28336","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28124","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28344","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33882"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33882","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33882"},{"reference_url":"https://github.com/advisories/GHSA-cvh3-23vq-w7h4","reference_id":"GHSA-cvh3-23vq-w7h4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cvh3-23vq-w7h4"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4","reference_id":"GHSA-cvh3-23vq-w7h4","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:42Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40016?format=json","purl":"pkg:composer/statamic/cms@6.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueq-n7pd-1yav"},{"vulnerability":"VCID-g8pq-2yub-kkc8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2"}],"aliases":["CVE-2026-33882","GHSA-cvh3-23vq-w7h4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c8nx-d391-63bw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78286?format=json","vulnerability_id":"VCID-crhs-g4rj-y3du","summary":"Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16 and 6.7.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33884","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12379","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12366","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12288","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12387","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33884"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33884","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33884"},{"reference_url":"https://github.com/advisories/GHSA-8vwx-ccf6-5wg2","reference_id":"GHSA-8vwx-ccf6-5wg2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8vwx-ccf6-5wg2"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2","reference_id":"GHSA-8vwx-ccf6-5wg2","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:37:18Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40016?format=json","purl":"pkg:composer/statamic/cms@6.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueq-n7pd-1yav"},{"vulnerability":"VCID-g8pq-2yub-kkc8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2"}],"aliases":["CVE-2026-33884","GHSA-8vwx-ccf6-5wg2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-crhs-g4rj-y3du"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67601?format=json","vulnerability_id":"VCID-g8pq-2yub-kkc8","summary":"Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks. This vulnerability is fixed in 5.73.21 and 6.15.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44306","reference_id":"","reference_type":"","scores":[{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11544","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11621","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.1284","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12857","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44306"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44306","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44306"},{"reference_url":"https://github.com/advisories/GHSA-m24v-f7g5-gq67","reference_id":"GHSA-m24v-f7g5-gq67","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m24v-f7g5-gq67"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-m24v-f7g5-gq67","reference_id":"GHSA-m24v-f7g5-gq67","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T18:15:50Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-m24v-f7g5-gq67"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375685?format=json","purl":"pkg:composer/statamic/cms@6.15.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.15.0"}],"aliases":["CVE-2026-44306","GHSA-m24v-f7g5-gq67"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g8pq-2yub-kkc8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66134?format=json","vulnerability_id":"VCID-g9kg-2pmt-pbev","summary":"Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Malicious user must have an account with control panel access and content creation permissions. This vulnerability can be exploited to allow super admin accounts to be created. This has been fixed in 6.2.3.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25759","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02139","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02135","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03692","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03678","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25759"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/commit/6ed4f65f3387686d6dbd816e9b4f18a8d9736ff6","reference_id":"6ed4f65f3387686d6dbd816e9b4f18a8d9736ff6","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:18:49Z/"}],"url":"https://github.com/statamic/cms/commit/6ed4f65f3387686d6dbd816e9b4f18a8d9736ff6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25759","reference_id":"CVE-2026-25759","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25759"},{"reference_url":"https://github.com/advisories/GHSA-ff9r-ww9c-43x8","reference_id":"GHSA-ff9r-ww9c-43x8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ff9r-ww9c-43x8"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-ff9r-ww9c-43x8","reference_id":"GHSA-ff9r-ww9c-43x8","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:18:49Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-ff9r-ww9c-43x8"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.2.3","reference_id":"v6.2.3","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-12T21:18:49Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v6.2.3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39091?format=json","purl":"pkg:composer/statamic/cms@6.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fy7-n7hd-87b9"},{"vulnerability":"VCID-2ueq-n7pd-1yav"},{"vulnerability":"VCID-3afh-kvfu-q3f6"},{"vulnerability":"VCID-3zh8-e7tr-gye9"},{"vulnerability":"VCID-5vp8-dye1-wbd9"},{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-9chh-y51z-uqdy"},{"vulnerability":"VCID-acat-8pec-yycn"},{"vulnerability":"VCID-c8nx-d391-63bw"},{"vulnerability":"VCID-crhs-g4rj-y3du"},{"vulnerability":"VCID-g8pq-2yub-kkc8"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-kajb-u17y-7ufu"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-nsp1-qqp9-g3g9"},{"vulnerability":"VCID-pxjn-93a2-53fs"},{"vulnerability":"VCID-s17m-ejen-bya7"},{"vulnerability":"VCID-tys6-5sqz-dfhw"},{"vulnerability":"VCID-w7sz-egcg-e7g5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.2.3"}],"aliases":["CVE-2026-25759","GHSA-ff9r-ww9c-43x8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g9kg-2pmt-pbev"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69390?format=json","vulnerability_id":"VCID-gxn8-7hm9-g3b3","summary":"Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28426","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02141","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02136","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02132","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28426"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28426","reference_id":"CVE-2026-28426","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28426"},{"reference_url":"https://github.com/advisories/GHSA-5vrj-wf7v-5wr7","reference_id":"GHSA-5vrj-wf7v-5wr7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5vrj-wf7v-5wr7"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7","reference_id":"GHSA-5vrj-wf7v-5wr7","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.11","reference_id":"v5.73.11","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.11"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.4.0","reference_id":"v6.4.0","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T19:38:52Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v6.4.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39982?format=json","purl":"pkg:composer/statamic/cms@6.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueq-n7pd-1yav"},{"vulnerability":"VCID-3afh-kvfu-q3f6"},{"vulnerability":"VCID-3zh8-e7tr-gye9"},{"vulnerability":"VCID-5vp8-dye1-wbd9"},{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-9chh-y51z-uqdy"},{"vulnerability":"VCID-acat-8pec-yycn"},{"vulnerability":"VCID-c8nx-d391-63bw"},{"vulnerability":"VCID-crhs-g4rj-y3du"},{"vulnerability":"VCID-g8pq-2yub-kkc8"},{"vulnerability":"VCID-kajb-u17y-7ufu"},{"vulnerability":"VCID-pxjn-93a2-53fs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0"}],"aliases":["CVE-2026-28426","GHSA-5vrj-wf7v-5wr7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gxn8-7hm9-g3b3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77811?format=json","vulnerability_id":"VCID-kajb-u17y-7ufu","summary":"Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data. Users could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content. This has been fixed in 5.73.16 and 6.7.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33887","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09984","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09945","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09998","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09993","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33887"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33887","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33887"},{"reference_url":"https://github.com/advisories/GHSA-4hp7-3wxg-cv9q","reference_id":"GHSA-4hp7-3wxg-cv9q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4hp7-3wxg-cv9q"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q","reference_id":"GHSA-4hp7-3wxg-cv9q","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:54:14Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40016?format=json","purl":"pkg:composer/statamic/cms@6.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueq-n7pd-1yav"},{"vulnerability":"VCID-g8pq-2yub-kkc8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.2"}],"aliases":["CVE-2026-33887","GHSA-4hp7-3wxg-cv9q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kajb-u17y-7ufu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69196?format=json","vulnerability_id":"VCID-nqhe-2h4b-wkc1","summary":"Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28423","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07382","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.0739","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07399","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07359","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28423"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28423","reference_id":"CVE-2026-28423","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28423"},{"reference_url":"https://github.com/advisories/GHSA-cwpp-325q-2cvp","reference_id":"GHSA-cwpp-325q-2cvp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cwpp-325q-2cvp"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp","reference_id":"GHSA-cwpp-325q-2cvp","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.11","reference_id":"v5.73.11","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.11"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.4.0","reference_id":"v6.4.0","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:48:27Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v6.4.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39982?format=json","purl":"pkg:composer/statamic/cms@6.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueq-n7pd-1yav"},{"vulnerability":"VCID-3afh-kvfu-q3f6"},{"vulnerability":"VCID-3zh8-e7tr-gye9"},{"vulnerability":"VCID-5vp8-dye1-wbd9"},{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-9chh-y51z-uqdy"},{"vulnerability":"VCID-acat-8pec-yycn"},{"vulnerability":"VCID-c8nx-d391-63bw"},{"vulnerability":"VCID-crhs-g4rj-y3du"},{"vulnerability":"VCID-g8pq-2yub-kkc8"},{"vulnerability":"VCID-kajb-u17y-7ufu"},{"vulnerability":"VCID-pxjn-93a2-53fs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0"}],"aliases":["CVE-2026-28423","GHSA-cwpp-325q-2cvp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nqhe-2h4b-wkc1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80238?format=json","vulnerability_id":"VCID-nsp1-qqp9-g3g9","summary":"Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset. This has been fixed in 6.3.3 and 5.73.10.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27593","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04345","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04353","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04358","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04346","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27593"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e","reference_id":"6fdd03324982848e8754f2edd2265262d361714e","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/"}],"url":"https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e"},{"reference_url":"https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be","reference_id":"78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/"}],"url":"https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be"},{"reference_url":"https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0","reference_id":"b2be592ddfb588bcb88c9be454f3590e14b145b0","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/"}],"url":"https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27593","reference_id":"CVE-2026-27593","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27593"},{"reference_url":"https://github.com/advisories/GHSA-jxq9-79vj-rgvw","reference_id":"GHSA-jxq9-79vj-rgvw","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jxq9-79vj-rgvw"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw","reference_id":"GHSA-jxq9-79vj-rgvw","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.10","reference_id":"v5.73.10","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.10"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.3.3","reference_id":"v6.3.3","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:55:56Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v6.3.3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39802?format=json","purl":"pkg:composer/statamic/cms@6.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueq-n7pd-1yav"},{"vulnerability":"VCID-53nt-msa9-p7b2"},{"vulnerability":"VCID-9chh-y51z-uqdy"},{"vulnerability":"VCID-acat-8pec-yycn"},{"vulnerability":"VCID-c8nx-d391-63bw"},{"vulnerability":"VCID-crhs-g4rj-y3du"},{"vulnerability":"VCID-g8pq-2yub-kkc8"},{"vulnerability":"VCID-kajb-u17y-7ufu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.1"}],"aliases":["CVE-2026-27593","GHSA-jxq9-79vj-rgvw"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nsp1-qqp9-g3g9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78230?format=json","vulnerability_id":"VCID-pxjn-93a2-53fs","summary":"Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. This has been fixed in 5.73.14 and 6.7.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33177","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02568","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02576","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02578","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33177"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33177","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33177"},{"reference_url":"https://github.com/advisories/GHSA-wh3h-gvc4-cc2g","reference_id":"GHSA-wh3h-gvc4-cc2g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wh3h-gvc4-cc2g"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g","reference_id":"GHSA-wh3h-gvc4-cc2g","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:49:16Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374642?format=json","purl":"pkg:composer/statamic/cms@6.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueq-n7pd-1yav"},{"vulnerability":"VCID-53nt-msa9-p7b2"},{"vulnerability":"VCID-9chh-y51z-uqdy"},{"vulnerability":"VCID-acat-8pec-yycn"},{"vulnerability":"VCID-c8nx-d391-63bw"},{"vulnerability":"VCID-crhs-g4rj-y3du"},{"vulnerability":"VCID-g8pq-2yub-kkc8"},{"vulnerability":"VCID-kajb-u17y-7ufu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.7.0"}],"aliases":["CVE-2026-33177","GHSA-wh3h-gvc4-cc2g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pxjn-93a2-53fs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/79707?format=json","vulnerability_id":"VCID-s17m-ejen-bya7","summary":"Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This issue has been fixed in 6.3.2 and 5.73.9.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27196","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02638","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02628","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02637","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02632","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27196"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b","reference_id":"11ae40e62edd3da044d37ebf264757a09cc2347b","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/"}],"url":"https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b"},{"reference_url":"https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3","reference_id":"6c270dacc2be02bfc2eee500766f3309f59d47b3","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/"}],"url":"https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27196","reference_id":"CVE-2026-27196","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27196"},{"reference_url":"https://github.com/advisories/GHSA-8r7r-f4gm-wcpq","reference_id":"GHSA-8r7r-f4gm-wcpq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8r7r-f4gm-wcpq"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq","reference_id":"GHSA-8r7r-f4gm-wcpq","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39453?format=json","purl":"pkg:composer/statamic/cms@6.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueq-n7pd-1yav"},{"vulnerability":"VCID-3afh-kvfu-q3f6"},{"vulnerability":"VCID-3zh8-e7tr-gye9"},{"vulnerability":"VCID-5vp8-dye1-wbd9"},{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-9chh-y51z-uqdy"},{"vulnerability":"VCID-acat-8pec-yycn"},{"vulnerability":"VCID-c8nx-d391-63bw"},{"vulnerability":"VCID-crhs-g4rj-y3du"},{"vulnerability":"VCID-g8pq-2yub-kkc8"},{"vulnerability":"VCID-gxn8-7hm9-g3b3"},{"vulnerability":"VCID-kajb-u17y-7ufu"},{"vulnerability":"VCID-nqhe-2h4b-wkc1"},{"vulnerability":"VCID-nsp1-qqp9-g3g9"},{"vulnerability":"VCID-pxjn-93a2-53fs"},{"vulnerability":"VCID-tys6-5sqz-dfhw"},{"vulnerability":"VCID-w7sz-egcg-e7g5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.3.2"}],"aliases":["CVE-2026-27196","GHSA-8r7r-f4gm-wcpq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s17m-ejen-bya7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69194?format=json","vulnerability_id":"VCID-tys6-5sqz-dfhw","summary":"Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the \"view users\" permission. This has been fixed in 5.73.11 and 6.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28424","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13277","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13302","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13294","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13194","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28424"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28424","reference_id":"CVE-2026-28424","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28424"},{"reference_url":"https://github.com/advisories/GHSA-w878-f8c6-7r63","reference_id":"GHSA-w878-f8c6-7r63","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w878-f8c6-7r63"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63","reference_id":"GHSA-w878-f8c6-7r63","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v5.73.11","reference_id":"v5.73.11","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v5.73.11"},{"reference_url":"https://github.com/statamic/cms/releases/tag/v6.4.0","reference_id":"v6.4.0","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T19:35:55Z/"}],"url":"https://github.com/statamic/cms/releases/tag/v6.4.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39982?format=json","purl":"pkg:composer/statamic/cms@6.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueq-n7pd-1yav"},{"vulnerability":"VCID-3afh-kvfu-q3f6"},{"vulnerability":"VCID-3zh8-e7tr-gye9"},{"vulnerability":"VCID-5vp8-dye1-wbd9"},{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-9chh-y51z-uqdy"},{"vulnerability":"VCID-acat-8pec-yycn"},{"vulnerability":"VCID-c8nx-d391-63bw"},{"vulnerability":"VCID-crhs-g4rj-y3du"},{"vulnerability":"VCID-g8pq-2yub-kkc8"},{"vulnerability":"VCID-kajb-u17y-7ufu"},{"vulnerability":"VCID-pxjn-93a2-53fs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0"}],"aliases":["CVE-2026-28424","GHSA-w878-f8c6-7r63"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tys6-5sqz-dfhw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80084?format=json","vulnerability_id":"VCID-w7sz-egcg-e7g5","summary":"Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the user’s existing permissions, may lead to privilege escalation. This has been fixed in 6.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27939","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06447","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06478","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06459","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06466","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27939"},{"reference_url":"https://github.com/statamic/cms","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/statamic/cms"},{"reference_url":"https://github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3a","reference_id":"8639ef96217eaa682bc42e8a62769cb7c6a85d3a","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T22:03:09Z/"}],"url":"https://github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27939","reference_id":"CVE-2026-27939","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27939"},{"reference_url":"https://github.com/advisories/GHSA-rw9x-pxqx-q789","reference_id":"GHSA-rw9x-pxqx-q789","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rw9x-pxqx-q789"},{"reference_url":"https://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789","reference_id":"GHSA-rw9x-pxqx-q789","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T22:03:09Z/"}],"url":"https://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39982?format=json","purl":"pkg:composer/statamic/cms@6.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueq-n7pd-1yav"},{"vulnerability":"VCID-3afh-kvfu-q3f6"},{"vulnerability":"VCID-3zh8-e7tr-gye9"},{"vulnerability":"VCID-5vp8-dye1-wbd9"},{"vulnerability":"VCID-62mz-fap3-7khn"},{"vulnerability":"VCID-9chh-y51z-uqdy"},{"vulnerability":"VCID-acat-8pec-yycn"},{"vulnerability":"VCID-c8nx-d391-63bw"},{"vulnerability":"VCID-crhs-g4rj-y3du"},{"vulnerability":"VCID-g8pq-2yub-kkc8"},{"vulnerability":"VCID-kajb-u17y-7ufu"},{"vulnerability":"VCID-pxjn-93a2-53fs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.4.0"}],"aliases":["CVE-2026-27939","GHSA-rw9x-pxqx-q789"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w7sz-egcg-e7g5"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/statamic/cms@6.1.0"}