Search for packages
| purl | pkg:composer/statamic/cms@4.46.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2h8u-ckde-8fad
Aliases: CVE-2026-27593 GHSA-jxq9-79vj-rgvw |
Statamic is vulnerable to account takeover via password reset link injection An attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset. |
Affected by 13 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-2nav-d5sc-buc2
Aliases: CVE-2026-33885 GHSA-7f74-7q5w-hj4r |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
|
VCID-3ecw-t3fm-3fh4
Aliases: CVE-2026-41175 GHSA-4jjr-vmv7-wh4w |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-5ukf-bhcd-suhw
Aliases: CVE-2026-28425 GHSA-cpv7-q2wx-m8rw |
Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs An authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-cdfx-dkc6-suha
Aliases: CVE-2026-28423 GHSA-cwpp-325q-2cvp |
Statamic Vulnerable to Server-Side Request Forgery via Glide When Glide image manipulation is used in insecure mode (which is *not* the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. |
Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-cz95-w9j3-mufn
Aliases: CVE-2026-27196 GHSA-8r7r-f4gm-wcpq |
Statamic affected by privilege escalation via stored cross-site scripting Stored XSS vulnerability in `html` fieldtypes allow authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. |
Affected by 14 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-e9pw-5s2v-yqct
Aliases: CVE-2026-33882 GHSA-cvh3-23vq-w7h4 |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
|
VCID-fgyv-vuu6-vbhq
Aliases: CVE-2025-64112 GHSA-g59r-24g3-h7cm |
Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This affects: - Control panel users with permission to create or edit Collections and Taxonomies - Versions up to and including 5.22.0 The vulnerability can be exploited to: - Change a super admin's password (versions ≤ 5.21.0) - Change a super admin's email address to initiate password reset (version 5.22.0) - Gain unauthorized access to superadmin accounts The attack requires: - An authenticated user with control panel and content creation permissions - A super admin to view the compromised content |
Affected by 16 other vulnerabilities. |
|
VCID-fjkd-mnrz-hkh2
Aliases: CVE-2026-33177 GHSA-wh3h-gvc4-cc2g |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
|
VCID-hnye-658u-yfcx
Aliases: CVE-2026-33884 GHSA-8vwx-ccf6-5wg2 |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
|
VCID-kctx-wwrz-eyab
Aliases: CVE-2026-28424 GHSA-w878-f8c6-7r63 |
Statamic's missing authorization allows access to email addresses User email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the “view users” permission. |
Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-s55s-2gzg-13c2
Aliases: CVE-2026-33887 GHSA-4hp7-3wxg-cv9q |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
|
VCID-smz3-etqw-q7fv
Aliases: CVE-2026-25633 GHSA-gwmx-9gcj-332h |
Statamic CMS's missing authorization allows access to assets Users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. |
Affected by 15 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-sw5p-h53c-wkhb
Aliases: CVE-2026-28426 GHSA-5vrj-wf7v-5wr7 |
Statamic vulnerable to privilege escalation via stored cross-site scripting Stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. |
Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-t5kq-pvrj-t7fy
Aliases: CVE-2026-33883 GHSA-3jg4-p23x-p4qx |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
|
VCID-t84q-nyyv-9kar
Aliases: CVE-2024-52600 GHSA-p7f6-8mcm-fwv3 |
Affected by 17 other vulnerabilities. |
|
|
VCID-x5p5-ez6j-2qe8
Aliases: CVE-2026-33171 GHSA-qm7r-wwq7-6f85 |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
|
VCID-xj5k-a1we-7ffx
Aliases: CVE-2026-33172 GHSA-7rcv-55mj-chg7 |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-99m5-7a9g-2bef | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the control panel. Additionally, if the XSS is crafted in a specific way, the "copy password reset link" feature may be exploited to gain access to a user's password reset token and gain access to their account. The authorized user is required to execute the XSS in order for the vulnerability to occur. In versions 4.46.0 and 3.4.17, the XSS vulnerability has been patched, and the copy password reset link functionality has been disabled. |
CVE-2024-24570
GHSA-vqxq-hvxw-9mv9 |