CVE-2026-54242
published 2026-06-26CVE-2026-54242: Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding) ### Impact The Glide image proxy's URL validation could be bypassed using DNS…
medium
Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding) ### Impact The Glide image proxy's URL validation could be bypassed using DNS rebinding. The remote hostname was validated as publicly routable, but resolved again when the image was actually fetched, so an attacker controlling the hostname's DNS could rebind it to an internal address after validation. This could cause the server to make HTTP requests to internal addresses — including loopback, private network, and cloud metadata endpoints. This affects sites that pass user-supplied URLs to Glide. ### Patches This has been fixed in 5.73.24 and 6.20.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| statamic | cms | >= 0 < 5.73.24 | 5.73.24 |
| statamic | cms | >= 6.0.0 < 6.20.1 | 6.20.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-26
Published