CVE-2026-49288
published 2026-06-19CVE-2026-49288: Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and…
PriorityP422medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.16%
5.7th percentile
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources. Depending on the resource, this could expose titles, custom field values, entry content, asset metadata, and the existence of users, roles, and groups. No data could be modified. This has been fixed in 5.73.23 and 6.20.0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| statamic | cms | < 5.73.23 | 5.73.23 |
| statamic | cms | — | — |
| statamic | cms | >= 0 < 5.73.23 | 5.73.23 |
| statamic | cms | >= 6.0.0 < 6.20.0 | 6.20.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources
ghsa·2026-06-26
CVE-2026-49288 [MEDIUM] CWE-200 Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources
Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources
### Impact
An authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources. Depending on the resource, this could expose titles, custom field values, entry content, asset metadata, and the existence of users, roles, and groups. No data could be modified.
### Patches
This has been fixed in 5.73.23 and 6.20.0.
VulDB
Statamic CMS up to 5.73.22/6.19.x Custom Fields information disclosure (GHSA-2497-6pwj-pwg7)
vuldb·2026-06-19
CVE-2026-49288 [LOW] Statamic CMS up to 5.73.22/6.19.x Custom Fields information disclosure (GHSA-2497-6pwj-pwg7)
A vulnerability categorized as problematic has been discovered in Statamic CMS up to 5.73.22/6.19.x. The impacted element is an unknown function of the component Custom Fields Handler. Executing a manipulation can lead to information disclosure.
This vulnerability appears as CVE-2026-49288. The attack may be performed from remote. There is no available exploit.
It is advisable to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-19
Published