Packagist (Composer) package
statamic/cms
pkg:composer/statamic/cms
Vulnerabilities (31)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-25633 | — | < 5.73.6 | 5.73.6 | Feb 11, 2026 | Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are un | ||
| CVE-2025-64112 | Hig | 8.0 | < 5.22.1 | 5.22.1 | Oct 30, 2025 | Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This v | |
| CVE-2024-52600 | Med | 5.3 | < 5.17.0 | 5.17.0 | Nov 19, 2024 | Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. The issue affects front-end forms with `assets` | |
| CVE-2024-36119 | Low | 1.8 | >= 5.3.0, < 5.6.2 | 5.6.2 | May 30, 2024 | Statamic is a, Laravel + Git powered CMS designed for building websites. In affected versions users registering via the `user:register_form` tag will have their password confirmation stored in plain text in their user file. This only affects sites matching **all** of the followin | |
| CVE-2024-24570 | — | >= 4.00, < 4.46.0 | 4.46.0 | Feb 1, 2024 | Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the control | ||
| CVE-2023-48701 | — | < 3.4.15 | 3.4.15 | Nov 21, 2023 | Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an | ||
| CVE-2023-48217 | — | >= 4.0.0, < 4.34.0 | 4.34.0 | Nov 14, 2023 | Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and | ||
| CVE-2023-47129 | — | >= 4.0.0, < 4.33.0 | 4.33.0 | Nov 10, 2023 | Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_ ar | ||
| CVE-2023-36828 | — | < 4.10.0 | 4.10.0 | Jul 5, 2023 | Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the `sanitiz | ||
| CVE-2022-24784 | — | < 3.2.39 | 3.2.39 | Mar 25, 2022 | Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually unc | ||
| CVE-2017-11422 | Hig | 8.8 | < 2.6.0 | 2.6.0 | Jul 24, 2017 | Statamic framework before 2.6.0 does not correctly check a session's permissions when the methods from a user's class are called. Problematic methods include reset password, create new account, create new role, etc. |
- CVE-2026-25633Feb 11, 2026affected < 5.73.6fixed 5.73.6
Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are un
- affected < 5.22.1fixed 5.22.1
Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This v
- affected < 5.17.0fixed 5.17.0
Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. The issue affects front-end forms with `assets`
- affected >= 5.3.0, < 5.6.2fixed 5.6.2
Statamic is a, Laravel + Git powered CMS designed for building websites. In affected versions users registering via the `user:register_form` tag will have their password confirmation stored in plain text in their user file. This only affects sites matching **all** of the followin
- CVE-2024-24570Feb 1, 2024affected >= 4.00, < 4.46.0fixed 4.46.0
Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the control
- CVE-2023-48701Nov 21, 2023affected < 3.4.15fixed 3.4.15
Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an
- CVE-2023-48217Nov 14, 2023affected >= 4.0.0, < 4.34.0fixed 4.34.0
Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and
- CVE-2023-47129Nov 10, 2023affected >= 4.0.0, < 4.33.0fixed 4.33.0
Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_ ar
- CVE-2023-36828Jul 5, 2023affected < 4.10.0fixed 4.10.0
Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the `sanitiz
- CVE-2022-24784Mar 25, 2022affected < 3.2.39fixed 3.2.39
Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually unc
- affected < 2.6.0fixed 2.6.0
Statamic framework before 2.6.0 does not correctly check a session's permissions when the methods from a user's class are called. Problematic methods include reset password, create new account, create new role, etc.
Page 2 of 2