Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ecbj-1cp6-hbba
Vulnerability ID VCID-ecbj-1cp6-hbba
Aliases CVE-2026-27939
GHSA-rw9x-pxqx-q789
Summary Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the user’s existing permissions, may lead to privilege escalation.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-287 Improper Authentication
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00022 https://api.first.org/data/v1/epss?cve=CVE-2026-27939
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-rw9x-pxqx-q789
cvssv3.1 8.8 https://github.com/statamic/cms
generic_textual HIGH https://github.com/statamic/cms
cvssv3.1 8.8 https://github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3a
generic_textual HIGH https://github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3a
ssvc Track https://github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3a
cvssv3.1 8.8 https://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789
cvssv3.1_qr HIGH https://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789
generic_textual HIGH https://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789
ssvc Track https://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2026-27939
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-27939
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-27939
https://github.com/statamic/cms
https://github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3a
CVE-2026-27939 https://nvd.nist.gov/vuln/detail/CVE-2026-27939
GHSA-rw9x-pxqx-q789 https://github.com/advisories/GHSA-rw9x-pxqx-q789
GHSA-rw9x-pxqx-q789 https://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/statamic/cms
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3a
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T22:03:09Z/ Found at https://github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3a
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-02T22:03:09Z/ Found at https://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-27939
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.06601
EPSS Score 0.00022
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T21:07:20.890326+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/statamic/cms/CVE-2026-27939.yml 38.6.0