High severityNVD Advisory· Published Nov 10, 2023· Updated Sep 3, 2024

Statamic CMS remote code execution via front-end form uploads

CVE-2023-47129

Description

Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Statamic CMS allows PHP file upload as images via front-end forms, leading to potential remote code execution.

Vulnerability

Overview

CVE-2023-47127 is a vulnerability in the Statamic CMS core Laravel package, affecting front-end forms that include an asset upload field. Prior to versions 3.4.13 and 4.33.0, PHP files crafted to appear as images (e.g., with .php, .php3, .php4, .php5, or .phtml extensions) could be uploaded through such forms [1]. This flaw arises from insufficient file extension validation on the server side, specifically within the extraRules method of the form handling logic [4]. The vulnerability only impacts forms created using the Statamic "Forms" feature, not arbitrary forms, and does not affect the control panel [1].

Exploitation

Details

An attacker with access to a publicly-facing front-end form that contains an asset upload field can upload a malicious PHP file disguised as an image. The attack does not require authentication, as these forms are typically accessible to unauthenticated users [3]. The upload is facilitated by the lack of proper MIME-type and extension validation; the system only applied a generic 'file' validation rule before the patch [4]. The attacker must craft a file that passes any client-side checks (e.g., a file with a double extension like image.php.jpg) and then relies on the server to execute it if the file is stored in a web-accessible directory.

Impact

Successful exploitation allows an attacker to achieve remote code execution (RCE) on the underlying server [3]. This can lead to complete compromise of the application, including data theft, privilege escalation, and further lateral movement within the infrastructure. Given that PHP files can be uploaded, the attacker can execute arbitrary commands, access or modify sensitive content, and potentially pivot to other connected systems [3].

Mitigation

The vulnerability has been patched in Statamic CMS versions 3.4.13 and 4.33.0 [1]. The fix adds explicit validation to reject file extensions commonly associated with PHP execution ( .php, .php3, .php4, .php5, .phtml ) in asset upload fields [4]. Users should update to the patched versions immediately. For those unable to upgrade, removing asset upload fields from forms or restricting file uploads to trusted users may serve as temporary mitigations.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
statamic/cmsPackagist	>= 4.0.0, < 4.33.0	4.33.0
statamic/cmsPackagist	< 3.4.13	3.4.13

Affected products

ghsa-coords
pkg:composer/statamic/cms
Range: >= 4.0.0, < 4.33.0
statamic/cmsv5
Range: < 3.4.13

Patches

098ef8024d97

Front-end form asset field php file validation (#8971)

https://github.com/statamic/cmsJason VargaNov 10, 2023via ghsa

commit

1 file changed · +5 −1

src/Http/Controllers/FormController.php+5 −1 modified

@@ -164,7 +164,11 @@ protected function extraRules($fields)
                 return $field->fieldtype()->handle() === 'assets';
             })
             ->mapWithKeys(function ($field) {
-                return [$field->handle().'.*' => 'file'];
+                return [$field->handle().'.*' => ['file', function ($attribute, $value, $fail) {
+                    if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'phtml'])) {
+                        $fail(__('validation.uploaded'));
+                    }
+                }]];
             })
             ->all();

f6c688154f6b

[4.x] Front-end form asset field php file validation (#8968)

https://github.com/statamic/cmsJason VargaNov 10, 2023via ghsa

commit

1 file changed · +5 −1

src/Http/Controllers/FormController.php+5 −1 modified

@@ -177,7 +177,11 @@ protected function extraRules($fields)
                 return $field->fieldtype()->handle() === 'assets';
             })
             ->mapWithKeys(function ($field) {
-                return [$field->handle().'.*' => 'file'];
+                return [$field->handle().'.*' => ['file', function ($attribute, $value, $fail) {
+                    if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'phtml'])) {
+                        $fail(__('validation.uploaded'));
+                    }
+                }]];
             })
             ->all();

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-72hg-5wr5-rmfcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-47129ghsaADVISORY
github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75ghsax_refsource_MISCWEB
github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77ghsax_refsource_MISCWEB
github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfcghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.004
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000