High severityNVD Advisory· Published Nov 14, 2023· Updated Aug 30, 2024

Remote code execution via form uploads in statamic/cms

CVE-2023-48217

Description

Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fields in the control panel. Malicious users could leverage this vulnerability to upload and execute code. This issue has been patched in versions 3.4.14 and 4.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Statamic CMS allows PHP files crafted as images to bypass MIME validation, enabling code execution via forms and asset uploads; patched in v3.4.14 and v4.34.0.

Vulnerability

Description

Statamic CMS versions before 3.4.14 and 4.34.0 contain a vulnerability where certain PHP files crafted to appear as images can bypass MIME type validation rules. This allows upload of malicious PHP files under the guise of images, bypassing security checks that should prevent arbitrary code execution [1].

Attack

Vector

The vulnerability can be exploited through front-end forms using the "Forms" feature, which are typically accessible to unauthenticated users, as well as through asset upload fields in the control panel. An attacker can upload a PHP file disguised as an image (e.g., with a .php extension but crafted content that mimics an image) to bypass MIME validation, leading to arbitrary file upload [1].

Impact

Successful exploitation allows an attacker to upload and execute arbitrary PHP code on the server. This can lead to complete site compromise, including data theft, defacement, or further attacks on the underlying infrastructure [1].

Mitigation

The issue has been patched in Statamic CMS versions 3.4.14 and 4.34.0. The patches introduce additional file validation checks, as seen in pull requests #8991 [2] and #8992 [3], and the release of v3.4.14 [4]. There are no known workarounds, so users are strongly advised to upgrade to patched versions immediately [1].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
statamic/cmsPackagist	>= 4.0.0, < 4.34.0	4.34.0
statamic/cmsPackagist	< 3.4.14	3.4.14

Affected products

ghsa-coords
pkg:composer/statamic/cms
Range: >= 4.0.0, < 4.34.0
statamic/cmsv5
Range: >= 4.0.0, < 4.34.0

Patches

da28afde818d

[3.4] More php file validation (#8992)

https://github.com/statamic/cmsJason VargaNov 14, 2023via ghsa

commit

3 files changed · +3 −3

src/Http/Controllers/CP/Assets/AssetsController.php+1 −1 modified

@@ -69,7 +69,7 @@ public function store(Request $request)
             'container' => 'required',
             'folder' => 'required',
             'file' => ['file', function ($attribute, $value, $fail) {
-                if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'phtml'])) {
+                if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'php7', 'php8', 'phtml', 'phar'])) {
                     $fail(__('validation.uploaded'));
                 }
             }],

src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php+1 −1 modified

@@ -12,7 +12,7 @@ public function upload(Request $request)
     {
         $request->validate([
             'file' => ['file', function ($attribute, $value, $fail) {
-                if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'phtml'])) {
+                if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'php7', 'php8', 'phtml', 'phar'])) {
                     $fail(__('validation.uploaded'));
                 }
             }],

src/Http/Controllers/FormController.php+1 −1 modified

@@ -165,7 +165,7 @@ protected function extraRules($fields)
             })
             ->mapWithKeys(function ($field) {
                 return [$field->handle().'.*' => ['file', function ($attribute, $value, $fail) {
-                    if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'phtml'])) {
+                    if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'php7', 'php8', 'phtml', 'phar'])) {
                         $fail(__('validation.uploaded'));
                     }
                 }]];

4c6fe041e220

[4.x] More php file validation (#8991)

https://github.com/statamic/cmsJason VargaNov 14, 2023via ghsa

commit

3 files changed · +3 −3

src/Http/Controllers/CP/Assets/AssetsController.php+1 −1 modified

@@ -69,7 +69,7 @@ public function store(Request $request)
             'container' => 'required',
             'folder' => 'required',
             'file' => ['file', function ($attribute, $value, $fail) {
-                if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'phtml'])) {
+                if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'php7', 'php8', 'phtml', 'phar'])) {
                     $fail(__('validation.uploaded'));
                 }
             }],

src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php+1 −1 modified

@@ -12,7 +12,7 @@ public function upload(Request $request)
     {
         $request->validate([
             'file' => ['file', function ($attribute, $value, $fail) {
-                if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'phtml'])) {
+                if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'php7', 'php8', 'phtml', 'phar'])) {
                     $fail(__('validation.uploaded'));
                 }
             }],

src/Http/Controllers/FormController.php+1 −1 modified

@@ -178,7 +178,7 @@ protected function extraRules($fields)
             })
             ->mapWithKeys(function ($field) {
                 return [$field->handle().'.*' => ['file', function ($attribute, $value, $fail) {
-                    if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'phtml'])) {
+                    if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'php7', 'php8', 'phtml', 'phar'])) {
                         $fail(__('validation.uploaded'));
                     }
                 }]];

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-2r53-9295-3m86ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-48217ghsaADVISORY
github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411ghsax_refsource_MISCWEB
github.com/statamic/cms/commit/da28afde818d605179fbb63b96eabafabad876b6ghsaWEB
github.com/statamic/cms/pull/8991ghsaWEB
github.com/statamic/cms/pull/8992ghsaWEB
github.com/statamic/cms/releases/tag/v3.4.14ghsaWEB
github.com/statamic/cms/releases/tag/v4.34.0ghsaWEB
github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000