High severity8.8NVD Advisory· Published Nov 14, 2023· Updated Jun 17, 2026
CVE-2023-48217
CVE-2023-48217
Description
Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fields in the control panel. Malicious users could leverage this vulnerability to upload and execute code. This issue has been patched in versions 3.4.14 and 4.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
statamic/cmsPackagist | >= 4.0.0, < 4.34.0 | 4.34.0 |
statamic/cmsPackagist | < 3.4.14 | 3.4.14 |
Affected products
2Patches
Vulnerability mechanics
References
9- github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411nvdPatchWEB
- github.com/advisories/GHSA-2r53-9295-3m86ghsaADVISORY
- github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-48217ghsaADVISORY
- github.com/statamic/cms/commit/da28afde818d605179fbb63b96eabafabad876b6ghsaWEB
- github.com/statamic/cms/pull/8991ghsaWEB
- github.com/statamic/cms/pull/8992ghsaWEB
- github.com/statamic/cms/releases/tag/v3.4.14ghsaWEB
- github.com/statamic/cms/releases/tag/v4.34.0ghsaWEB
News mentions
0No linked articles in our index yet.