cbcvebase.

Statamic Cms vulnerabilities

37 known vulnerabilities affecting statamic/cms.

Total CVEs
37
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH11MEDIUM22LOW3

Vulnerabilities

Page 1 of 2
CVE-2023-47129P2CRITICALCVSS 9.8fixed in 3.4.13v>= 4.0.0, < 4.33.02023-11-10
CVE-2023-47129 [CRITICAL] CWE-434 CVE-2023-47129: Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4 Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has
ghsanvdosv
CVE-2026-28423P3HIGHCVSS 8.6fixed in 5.73.11v>= 6.0.0, < 6.4.02026-02-27
CVE-2026-28423 [HIGH] CWE-918 CVE-2026-28423: Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 an Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark
ghsanvdosv
CVE-2023-48217P3HIGHCVSS 8.8v>= 4.0.0, < 4.34.0fixed in 3.4.142023-11-14
CVE-2023-48217 [HIGH] CWE-94 CVE-2023-48217: Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected vers Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fields in the control panel. Malicious users could leverage t
ghsanvdosv
CVE-2026-27939P3HIGHCVSS 8.8v>= 6.0.0, < 6.4.02026-02-27
CVE-2026-27939 [HIGH] CWE-287 CVE-2026-27939: Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 an Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the user’s existing pe
ghsanvdosv
CVE-2026-41175P3HIGHCVSS 8.1fixed in 5.73.23v>= 6.0.0, < 6.20.02026-04-22
CVE-2026-41175 [HIGH] CWE-470 CVE-2026-41175: Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel requires authentication with minimal permissions in order
nvd
CVE-2026-27593P3HIGHCVSS 8.8fixed in 5.73.10v>= 6.0.0-alpha.1, < 6.3.32026-02-24
CVE-2026-27593 [HIGH] CWE-640 CVE-2026-27593: Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly cl
ghsanvdosv
CVE-2026-28425P3HIGHCVSS 8.0fixed in 5.73.16v>= 6.0.0, < 6.7.22026-02-27
CVE-2026-28425 [HIGH] CWE-94 CVE-2026-28425: Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 an Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration,
ghsanvdosv
CVE-2026-25759P3HIGHCVSS 8.7v>= 6.0.0, < 6.2.32026-02-11
CVE-2026-25759 [HIGH] CWE-79 CVE-2026-25759: Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Malicious user must have an account with control panel access an
ghsanvdosv
CVE-2026-33172P3HIGHCVSS 8.7v>= 6.0.0-alpha.1, < 6.7.0fixed in 5.73.142026-03-20
CVE-2026-33172 [HIGH] CWE-79 CVE-2026-33172: Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0
ghsanvdosv
CVE-2026-33882P3MEDIUMCVSS 6.5fixed in 5.73.16v>= 6.0.0-alpha.1, < 6.7.22026-03-27
CVE-2026-33882 [MEDIUM] CWE-20 CVE-2026-33882: Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encr
ghsanvdosv
CVE-2025-64112P3HIGHCVSS 8.0fixed in 5.22.12025-10-30
CVE-2025-64112 [HIGH] CWE-79 CVE-2025-64112: Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities i Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fixed in 5.22.1.
ghsanvdosv
CVE-2026-49287P3HIGH≥ 0, < 5.73.23≥ 6.0.0, < 6.20.02026-06-26
CVE-2026-49287 [HIGH] CWE-470 Statamic CMS's unsafe method invocation via collection sorting allows data destruction Statamic CMS's unsafe method invocation via collection sorting allows data destruction ### Impact The fix for GHSA-4jjr-vmv7-wh4w was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets. This requires a front-end template that
ghsa
CVE-2026-33886P3MEDIUMCVSS 6.5v>= 5.73.12, < 5.73.16v>= 6.0.0.alpha.1, < 6.7.22026-03-27
CVE-2026-33886 [MEDIUM] CWE-200 CVE-2026-33886: Statamic is a Laravel and Git powered content management system (CMS). Starting in version 5.7.12 an Statamic is a Laravel and Git powered content management system (CMS). Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content. This has been fixed in 5.73.16 and 6.7.2.
ghsanvdosv
CVE-2026-28424P3MEDIUMCVSS 6.5fixed in 5.73.11v>= 6.0.0, < 6.4.02026-02-27
CVE-2026-28424 [MEDIUM] CWE-862 CVE-2026-28424: Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 an Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 and 6.4.0.
ghsanvdosv
CVE-2017-11422P3HIGH≥ 0, < 2.6.02022-05-13
CVE-2017-11422 [HIGH] CWE-732 Statamic framework Incorrect Permission Assignment Statamic framework Incorrect Permission Assignment Statamic framework before 2.6.0 does not correctly check a session's permissions when the methods from a user's class are called. Problematic methods include reset password, create new account, create new role, etc.
ghsaosv
CVE-2026-45660P4MEDIUMCVSS 5.4fixed in 5.73.22v>= 6.0.0-alpha.1, < 6.18.12026-05-29
CVE-2026-45660 [MEDIUM] CWE-918 CVE-2026-45660: Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.22 and 6.18.1, Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.22 and 6.18.1, the Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP requests to internal addresses — including loopback, priv
ghsanvd
CVE-2026-33885P4MEDIUMCVSS 6.1fixed in 5.73.16v>= 6.0.0.alpha.1, < 6.7.22026-03-27
CVE-2026-33885 [MEDIUM] CWE-601 CVE-2026-33885: Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. This has been fixed in 5.73.
ghsanvdosv
CVE-2024-24570P4MEDIUMCVSS 6.1fixed in 3.4.17v>= 4.0.0, < 4.46.02024-02-01
CVE-2024-24570 [MEDIUM] CWE-79 CVE-2024-24570: Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the control panel. Additionally, if the XSS is crafted in a specific way, the "copy
ghsanvdosv
CVE-2023-48701P4MEDIUMCVSS 6.1fixed in 3.4.15v>= 4.0.0, < 4.36.02023-11-21
CVE-2023-48701 [MEDIUM] CWE-79 CVE-2023-48701: Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an assets field, or within the control panel which requires authentication.
ghsanvdosv
CVE-2024-52600P4MEDIUMCVSS 5.3fixed in 5.17.02024-11-19
CVE-2024-52600 [MEDIUM] CWE-22 CVE-2024-52600: Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, ass Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. The issue affects front-end forms with `assets` fields and other places where assets can be uploaded, although users wou
ghsanvdosv