Statamic Cms vulnerabilities
37 known vulnerabilities affecting statamic/cms.
Total CVEs
37
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH11MEDIUM22LOW3
Vulnerabilities
Page 2 of 2
CVE-2026-33887P4MEDIUMCVSS 5.4fixed in 5.73.16v>= 6.0.0-alpha.1, < 6.7.22026-03-27
CVE-2026-33887 [MEDIUM] CWE-862 CVE-2026-33887: Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers
ghsanvdosv
CVE-2026-44306P4MEDIUMCVSS 5.3fixed in 5.73.21v>= 6.0.0, < 6.15.02026-05-12
CVE-2026-44306 [MEDIUM] CWE-204 CVE-2026-44306: Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0,
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks. This vulnerability is fix
ghsanvd
CVE-2026-33883P4MEDIUMCVSS 6.1fixed in 5.73.16v>= 6.0.0-alpha.1, < 6.7.22026-03-27
CVE-2026-33883 [MEDIUM] CWE-79 CVE-2026-33883: Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the `user:reset_password_form` tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser. This has been fixed in 5.73.16 and 6.7.2.
ghsanvdosv
CVE-2026-32612P4MEDIUMCVSS 5.4v>= 6.0.0, < 6.6.22026-03-13
CVE-2026-32612 [MEDIUM] CWE-79 CVE-2026-32612: Statamic is a Laravel and Git powered content management system (CMS). Prior to 6.6.2, stored XSS in
Statamic is a Laravel and Git powered content management system (CMS). Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. This has been fixed in 6.6.2.
ghsanvdosv
CVE-2026-28426P4MEDIUMCVSS 5.4fixed in 5.73.11v>= 6.0.0, < 6.4.02026-02-27
CVE-2026-28426 [MEDIUM] CWE-79 CVE-2026-28426: Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 an
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.
ghsanvdosv
CVE-2026-33171P4MEDIUMCVSS 4.3v>= 6.0.0-alpha.1, < 6.7.0fixed in 5.73.142026-03-20
CVE-2026-33171 [MEDIUM] CWE-22 CVE-2026-33171: Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration parameter in the fieldtype's endpoint. This has been fixed in 5.73.14 and 6
ghsanvdosv
CVE-2023-36828P4MEDIUMCVSS 5.4fixed in 4.10.02023-07-05
CVE-2023-36828 [MEDIUM] CWE-79 CVE-2023-36828: Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0
Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the `sanitize` function. Version 4.10.0 contains a patch for this issue.
ghsanvdosv
CVE-2026-25633P4MEDIUMCVSS 4.3fixed in 5.73.6v>= 6.0.0-alpha.1, < 6.2.52026-02-11
CVE-2026-25633 [MEDIUM] CWE-862 CVE-2026-25633: Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5,
Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5.
ghsanvdosv
CVE-2026-27196P4MEDIUMCVSS 4.8v>= 6.0.0-alpha.1, < 6.3.2fixed in 5.73.92026-02-21
CVE-2026-27196 [MEDIUM] CWE-79 CVE-2026-27196: Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in
Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This iss
ghsanvdosv
CVE-2026-33177P4MEDIUMCVSS 4.3v>= 6.0.0-alpha.1, < 6.7.0fixed in 5.73.142026-03-20
CVE-2026-33177 [MEDIUM] CWE-862 CVE-2026-33177: Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy
ghsanvdosv
CVE-2026-33884P4MEDIUMCVSS 4.3fixed in 5.73.16v>= 6.0.0-alpha.1, < 6.7.22026-03-27
CVE-2026-33884 [MEDIUM] CWE-863 CVE-2026-33884: Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16 and 6.7.2.
ghsanvdosv
CVE-2026-49288P4MEDIUMCVSS 4.3fixed in 5.73.23v>= 6.0.0, < 6.20.02026-06-19
CVE-2026-49288 [MEDIUM] CWE-200 CVE-2026-49288: Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0,
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources. Depending on the resource, this could expose titles,
ghsanvd
CVE-2022-24784P4LOWCVSS 3.7fixed in 3.2.39fixed in 3.3.22022-03-25
CVE-2022-24784 [LOW] CWE-200 CVE-2022-24784: Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confi
Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire hash. The hash is not present in the response, however the
ghsanvdosv
CVE-2024-36119P4LOWCVSS 1.8v>= 5.3.0, < 5.6.22024-05-30
CVE-2024-36119 [LOW] CWE-312 CVE-2024-36119: Statamic is a, Laravel + Git powered CMS designed for building websites. In affected versions users
Statamic is a, Laravel + Git powered CMS designed for building websites. In affected versions users registering via the `user:register_form` tag will have their password confirmation stored in plain text in their user file. This only affects sites matching **all** of the following conditions: 1. Running Statamic versions between 5.3.0 and 5.6.1. (This v
ghsanvdosv
CVE-2026-54243MEDIUM≥ 6.0.0, < 6.20.1≥ 0, < 5.73.242026-06-26
CVE-2026-54243 [MEDIUM] CWE-1236 Statamic Vulnerable to CSV formula injection in form submission exports
Statamic Vulnerable to CSV formula injection in form submission exports
### Impact
Form submission values were not neutralized for spreadsheet formula characters when exported to CSV. A submission containing a value beginning with a formula trigger character (e.g. = , + , - , @ ) could be interpreted as a live formula when a Control Panel user opens the export in a spreadsheet application.
ghsa
CVE-2026-54242MEDIUM≥ 0, < 5.73.24≥ 6.0.0, < 6.20.12026-06-26
CVE-2026-54242 [MEDIUM] CWE-367 Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding)
Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding)
### Impact
The Glide image proxy's URL validation could be bypassed using DNS rebinding. The remote hostname was validated as publicly routable, but resolved again when the image was actually fetched, so an attacker controlling the hostname's DNS could rebind it to an internal address after validation. This cou
ghsa
CVE-2026-54244LOW≥ 0, < 5.74.0≥ 6.0.0, < 6.20.32026-06-26
CVE-2026-54244 [LOW] CWE-863 Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors
Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors
### Impact
The Live Preview endpoint for existing entries and terms only checked view authorization, but it accepts and renders caller-supplied field values. A Control Panel user with view but not edit permission could therefore submit content they we
ghsa
← Previous2 / 2