Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-enub-vz6v-sqck
Vulnerability ID VCID-enub-vz6v-sqck
Aliases CVE-2022-24784
GHSA-qcgx-7p5f-hxvr
Summary Inadequate Encryption Strength Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire hash. The hash is not present in the response, however the presence or absence of a result confirms if the character is in the right position. The API has throttling enabled by default, making this a time intensive task. Both the REST API and the users endpoint need to be enabled, as they are disabled by default. The issue has been fixed in versions 3.2.39 and above, and 3.3.2 and above.
Status Published
Exploitability 0.5
Weighted Severity 3.3
Risk 1.6
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-326 Inadequate Encryption Strength
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-203 Observable Discrepancy
System Score Found at
epss 0.00268 https://api.first.org/data/v1/epss?cve=CVE-2022-24784
epss 0.00268 https://api.first.org/data/v1/epss?cve=CVE-2022-24784
cvssv3.1_qr LOW https://github.com/advisories/GHSA-qcgx-7p5f-hxvr
cvssv3.1 3.7 https://github.com/statamic/cms
generic_textual LOW https://github.com/statamic/cms
cvssv3.1 3.7 https://github.com/statamic/cms/issues/5604
generic_textual LOW https://github.com/statamic/cms/issues/5604
ssvc Track https://github.com/statamic/cms/issues/5604
cvssv3.1 3.7 https://github.com/statamic/cms/pull/5568
generic_textual LOW https://github.com/statamic/cms/pull/5568
ssvc Track https://github.com/statamic/cms/pull/5568
cvssv3.1 3.7 https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr
cvssv3.1_qr LOW https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr
generic_textual LOW https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr
ssvc Track https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr
cvssv3.1 3.7 https://nvd.nist.gov/vuln/detail/CVE-2022-24784
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2022-24784
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-24784
https://github.com/statamic/cms
https://github.com/statamic/cms/issues/5604
https://github.com/statamic/cms/pull/5568
CVE-2022-24784 https://nvd.nist.gov/vuln/detail/CVE-2022-24784
GHSA-qcgx-7p5f-hxvr https://github.com/advisories/GHSA-qcgx-7p5f-hxvr
GHSA-qcgx-7p5f-hxvr https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/statamic/cms
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/statamic/cms/issues/5604
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:26Z/ Found at https://github.com/statamic/cms/issues/5604
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/statamic/cms/pull/5568
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:26Z/ Found at https://github.com/statamic/cms/pull/5568
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:26Z/ Found at https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-24784
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.50409
EPSS Score 0.00268
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:41:55.149489+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/statamic/cms/CVE-2022-24784.yml 38.6.0