Search for packages
| purl | pkg:composer/statamic/cms@3.4.8 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1r77-f41m-gygc
Aliases: CVE-2023-48217 GHSA-2r53-9295-3m86 |
Statamic CMS vulnerable to remote code execution via form uploads Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fields in the control panel. Malicious users could leverage this vulnerability to upload and execute code. This issue has been patched in versions 3.4.14 and 4.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 20 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-2h8u-ckde-8fad
Aliases: CVE-2026-27593 GHSA-jxq9-79vj-rgvw |
Statamic is vulnerable to account takeover via password reset link injection An attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset. |
Affected by 13 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-2nav-d5sc-buc2
Aliases: CVE-2026-33885 GHSA-7f74-7q5w-hj4r |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
|
VCID-3ecw-t3fm-3fh4
Aliases: CVE-2026-41175 GHSA-4jjr-vmv7-wh4w |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-5ukf-bhcd-suhw
Aliases: CVE-2026-28425 GHSA-cpv7-q2wx-m8rw |
Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs An authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-99m5-7a9g-2bef
Aliases: CVE-2024-24570 GHSA-vqxq-hvxw-9mv9 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the control panel. Additionally, if the XSS is crafted in a specific way, the "copy password reset link" feature may be exploited to gain access to a user's password reset token and gain access to their account. The authorized user is required to execute the XSS in order for the vulnerability to occur. In versions 4.46.0 and 3.4.17, the XSS vulnerability has been patched, and the copy password reset link functionality has been disabled. |
Affected by 18 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
VCID-cdfx-dkc6-suha
Aliases: CVE-2026-28423 GHSA-cwpp-325q-2cvp |
Statamic Vulnerable to Server-Side Request Forgery via Glide When Glide image manipulation is used in insecure mode (which is *not* the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. |
Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-cz95-w9j3-mufn
Aliases: CVE-2026-27196 GHSA-8r7r-f4gm-wcpq |
Statamic affected by privilege escalation via stored cross-site scripting Stored XSS vulnerability in `html` fieldtypes allow authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. |
Affected by 14 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-dchd-avma-3qg2
Aliases: CVE-2023-47129 GHSA-72hg-5wr5-rmfc |
Statamic CMS remote code execution via front-end form uploads Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0. |
Affected by 21 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-dehx-x78k-7uf5
Aliases: CVE-2023-48701 GHSA-8jjh-j3c2-cjcv |
Cross-site Scripting via uploaded assets Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an assets field, or within the control panel which requires authentication. This issue has been patched on 3.4.15 and 4.36.0. |
Affected by 19 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-e9pw-5s2v-yqct
Aliases: CVE-2026-33882 GHSA-cvh3-23vq-w7h4 |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
|
VCID-fgyv-vuu6-vbhq
Aliases: CVE-2025-64112 GHSA-g59r-24g3-h7cm |
Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This affects: - Control panel users with permission to create or edit Collections and Taxonomies - Versions up to and including 5.22.0 The vulnerability can be exploited to: - Change a super admin's password (versions ≤ 5.21.0) - Change a super admin's email address to initiate password reset (version 5.22.0) - Gain unauthorized access to superadmin accounts The attack requires: - An authenticated user with control panel and content creation permissions - A super admin to view the compromised content |
Affected by 16 other vulnerabilities. |
|
VCID-fjkd-mnrz-hkh2
Aliases: CVE-2026-33177 GHSA-wh3h-gvc4-cc2g |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
|
VCID-hnye-658u-yfcx
Aliases: CVE-2026-33884 GHSA-8vwx-ccf6-5wg2 |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
|
VCID-kctx-wwrz-eyab
Aliases: CVE-2026-28424 GHSA-w878-f8c6-7r63 |
Statamic's missing authorization allows access to email addresses User email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the “view users” permission. |
Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-py47-fmfr-hbh6
Aliases: CVE-2023-36828 GHSA-6r5g-cq4q-327g |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the `sanitize` function. Version 4.10.0 contains a patch for this issue. |
Affected by 22 other vulnerabilities. |
|
VCID-s55s-2gzg-13c2
Aliases: CVE-2026-33887 GHSA-4hp7-3wxg-cv9q |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
|
VCID-smz3-etqw-q7fv
Aliases: CVE-2026-25633 GHSA-gwmx-9gcj-332h |
Statamic CMS's missing authorization allows access to assets Users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. |
Affected by 15 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-sw5p-h53c-wkhb
Aliases: CVE-2026-28426 GHSA-5vrj-wf7v-5wr7 |
Statamic vulnerable to privilege escalation via stored cross-site scripting Stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. |
Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-t5kq-pvrj-t7fy
Aliases: CVE-2026-33883 GHSA-3jg4-p23x-p4qx |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
|
VCID-t84q-nyyv-9kar
Aliases: CVE-2024-52600 GHSA-p7f6-8mcm-fwv3 |
Affected by 17 other vulnerabilities. |
|
|
VCID-x5p5-ez6j-2qe8
Aliases: CVE-2026-33171 GHSA-qm7r-wwq7-6f85 |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
|
VCID-xj5k-a1we-7ffx
Aliases: CVE-2026-33172 GHSA-7rcv-55mj-chg7 |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||