Search for vulnerabilities
| Vulnerability ID | VCID-kajb-u17y-7ufu |
| Aliases |
CVE-2026-33887
GHSA-4hp7-3wxg-cv9q |
| Summary | Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data. Users could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content. This has been fixed in 5.73.16 and 6.7.2. |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 6.2 |
| Risk | 3.1 |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| epss | 0.00032 | https://api.first.org/data/v1/epss?cve=CVE-2026-33887 |
| epss | 0.00032 | https://api.first.org/data/v1/epss?cve=CVE-2026-33887 |
| epss | 0.00032 | https://api.first.org/data/v1/epss?cve=CVE-2026-33887 |
| cvssv3.1_qr | MODERATE | https://github.com/advisories/GHSA-4hp7-3wxg-cv9q |
| cvssv3.1 | 5.4 | https://github.com/statamic/cms |
| generic_textual | MODERATE | https://github.com/statamic/cms |
| cvssv3.1 | 5.4 | https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q |
| cvssv3.1_qr | MODERATE | https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q |
| generic_textual | MODERATE | https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q |
| ssvc | Track | https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q |
| cvssv3.1 | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2026-33887 |
| generic_textual | MODERATE | https://nvd.nist.gov/vuln/detail/CVE-2026-33887 |
| Reference id | Reference type | URL |
|---|---|---|
| https://api.first.org/data/v1/epss?cve=CVE-2026-33887 | ||
| https://github.com/statamic/cms | ||
| https://nvd.nist.gov/vuln/detail/CVE-2026-33887 | ||
| GHSA-4hp7-3wxg-cv9q | https://github.com/advisories/GHSA-4hp7-3wxg-cv9q | |
| GHSA-4hp7-3wxg-cv9q | https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Percentile | 0.09945 |
| EPSS Score | 0.00032 |
| Published At | June 11, 2026, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-06-11T16:49:30.689706+00:00 | Vulnrichment | Import | https://github.com/cisagov/vulnrichment/blob/develop/2026/33xxx/CVE-2026-33887.json | 38.6.0 |