Packagist (Composer) package

statamic/cms

pkg:composer/statamic/cms

Vulnerabilities (31)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-44306	Med	5.3	< 5.73.21	5.73.21	May 12, 2026	Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which
CVE-2026-41175	Hig	8.1	< 5.73.20	5.73.20	Apr 22, 2026	Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The
CVE-2026-33887	Med	5.4	< 5.73.16	5.73.16	Mar 27, 2026	Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions.
CVE-2026-33886	Med	6.5	>= 5.73.12, < 5.73.16	5.73.16	Mar 27, 2026	Statamic is a Laravel and Git powered content management system (CMS). Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variab
CVE-2026-33885	Med	6.1	< 5.73.16	5.73.16	Mar 27, 2026	Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like
CVE-2026-33884	Med	4.3	< 5.73.16	5.73.16	Mar 27, 2026	Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has be
CVE-2026-33883	Med	6.1	< 5.73.16	5.73.16	Mar 27, 2026	Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the `user:reset_password_form` tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in th
CVE-2026-33882	Med	6.5	< 5.73.16	5.73.16	Mar 27, 2026	Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel
CVE-2026-33177		—	>= 6.0.0-alpha.1, < 6.7.0	6.7.0	Mar 20, 2026	Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. Th
CVE-2026-33172		—	>= 6.0.0-alpha.1, < 6.7.0	6.7.0	Mar 20, 2026	Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that e
CVE-2026-33171		—	>= 6.0.0-alpha.1, < 6.7.0	6.7.0	Mar 20, 2026	Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration par
CVE-2026-32612		—	>= 6.0.0, < 6.6.2	6.6.2	Mar 12, 2026	Statamic is a Laravel and Git powered content management system (CMS). Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonate
CVE-2026-28426		—	< 5.73.11	5.73.11	Feb 27, 2026	Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed
CVE-2026-28425		—	< 5.73.16	5.73.16	Feb 27, 2026	Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full co
CVE-2026-28424		—	< 5.73.11	5.73.11	Feb 27, 2026	Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been
CVE-2026-28423		—	< 5.73.11	5.73.11	Feb 27, 2026	Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP re
CVE-2026-27939		—	>= 6.0.0, < 6.4.0	6.4.0	Feb 27, 2026	Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allo
CVE-2026-27593		—	< 5.73.10	5.73.10	Feb 24, 2026	Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email a
CVE-2026-27196		—	>= 6.0.0-alpha.1, < 6.3.2	6.3.2	Feb 21, 2026	Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious J
CVE-2026-25759		—	>= 6.0.0, < 6.2.3	6.2.3	Feb 11, 2026	Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privile

CVE-2026-44306MedMay 12, 2026
affected < 5.73.21fixed 5.73.21
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which
CVE-2026-41175HigApr 22, 2026
affected < 5.73.20fixed 5.73.20
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The
CVE-2026-33887MedMar 27, 2026
affected < 5.73.16fixed 5.73.16
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions.
CVE-2026-33886MedMar 27, 2026
affected >= 5.73.12, < 5.73.16fixed 5.73.16
Statamic is a Laravel and Git powered content management system (CMS). Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variab
CVE-2026-33885MedMar 27, 2026
affected < 5.73.16fixed 5.73.16
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like
CVE-2026-33884MedMar 27, 2026
affected < 5.73.16fixed 5.73.16
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has be
CVE-2026-33883MedMar 27, 2026
affected < 5.73.16fixed 5.73.16
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the `user:reset_password_form` tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in th
CVE-2026-33882MedMar 27, 2026
affected < 5.73.16fixed 5.73.16
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel
CVE-2026-33177Mar 20, 2026
affected >= 6.0.0-alpha.1, < 6.7.0fixed 6.7.0
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. Th
CVE-2026-33172Mar 20, 2026
affected >= 6.0.0-alpha.1, < 6.7.0fixed 6.7.0
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that e
CVE-2026-33171Mar 20, 2026
affected >= 6.0.0-alpha.1, < 6.7.0fixed 6.7.0
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration par
CVE-2026-32612Mar 12, 2026
affected >= 6.0.0, < 6.6.2fixed 6.6.2
Statamic is a Laravel and Git powered content management system (CMS). Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonate
CVE-2026-28426Feb 27, 2026
affected < 5.73.11fixed 5.73.11
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed
CVE-2026-28425Feb 27, 2026
affected < 5.73.16fixed 5.73.16
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full co
CVE-2026-28424Feb 27, 2026
affected < 5.73.11fixed 5.73.11
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been
CVE-2026-28423Feb 27, 2026
affected < 5.73.11fixed 5.73.11
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP re
CVE-2026-27939Feb 27, 2026
affected >= 6.0.0, < 6.4.0fixed 6.4.0
Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allo
CVE-2026-27593Feb 24, 2026
affected < 5.73.10fixed 5.73.10
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email a
CVE-2026-27196Feb 21, 2026
affected >= 6.0.0-alpha.1, < 6.3.2fixed 6.3.2
Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious J
CVE-2026-25759Feb 11, 2026
affected >= 6.0.0, < 6.2.3fixed 6.2.3
Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privile

Page 1 of 2