CVE-2026-33886
published 2026-03-27CVE-2026-33886: Statamic is a Laravel and Git powered content management system (CMS). Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user…
PriorityP339medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.22%
12.9th percentile
Statamic is a Laravel and Git powered content management system (CMS). Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content. This has been fixed in 5.73.16 and 6.7.2.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| statamic | cms | — | — |
| statamic | cms | — | — |
| statamic | cms | >= 5.73.12 < 5.73.16 | 5.73.16 |
| statamic | cms | >= 6.5.0 < 6.7.2 | 6.7.2 |
| statamic | statamic | >= 5.73.12 < 5.73.16 | 5.73.16 |
| statamic | statamic | >= 6.5.0 < 6.7.2 | 6.7.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields
ghsa·2026-03-26
CVE-2026-33886 [MEDIUM] CWE-200 Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields
Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields
### Impact
A control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content.
### Patches
This has been fixed in 5.73.16 and 6.7.2.
OSV
Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields
osv·2026-03-26
CVE-2026-33886 [MEDIUM] Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields
Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields
### Impact
A control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content.
### Patches
This has been fixed in 5.73.16 and 6.7.2.
No detection rules found.
No public exploits indexed.
2026-03-27
Published