VYPR
Moderate severityNVD Advisory· Published Feb 11, 2026· Updated Feb 12, 2026

Statamic's missing authorization allows access to assets

CVE-2026-25633

Description

Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
statamic/cmsPackagist
< 5.73.65.73.6
statamic/cmsPackagist
>= 6.0.0-alpha.1, < 6.2.56.2.5

Affected products

2

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.