CMS
by Statamic
Source repositories
CVEs (72)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-52600 | Med | 0.27 | 5.3 | 0.01 | Nov 19, 2024 | Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. The issue affects front-end forms with `assets`… | ||
| CVE-2026-6648 | Low | 0.23 | 3.5 | 0.00 | Apr 20, 2026 | A vulnerability was found in Qibo CMS 1.0. Affected by this vulnerability is an unknown functionality of the component Internal Message Module. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. The exploit has been made public and… | ||
| CVE-2026-3743 | Low | 0.23 | 3.5 | 0.00 | Mar 8, 2026 | A flaw has been found in YiFang CMS 2.0.5. This affects the function update of the file app/db/admin/D_singlePageGroup.php. Executing a manipulation of the argument Name can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been… | ||
| CVE-2026-3741 | Low | 0.23 | 3.5 | 0.00 | Mar 8, 2026 | A security vulnerability has been detected in YiFang CMS 2.0.5. The affected element is the function update of the file app/db/admin/D_friendLink.php. Such manipulation of the argument linkName leads to cross site scripting. The attack may be performed from remote. The exploit… | ||
| CVE-2026-2932 | Low | 0.16 | 2.4 | 0.00 | Feb 22, 2026 | A security flaw has been discovered in YiFang CMS up to 2.0.5. The impacted element is the function update of the file app/db/admin/D_adPosition.php of the component Extended Management Module. Performing a manipulation of the argument name/index results in cross site scripting.… | ||
| CVE-2026-7014 | Low | 0.09 | 2.4 | 0.00 | Apr 26, 2026 | A flaw has been found in MaxSite CMS up to 109.3. This vulnerability affects unknown code of the component down_count Plugin. This manipulation of the argument f_file/f_prefix causes cross site scripting. The attack may be initiated remotely. The exploit has been published and… | ||
| CVE-2024-36119 | Low | 0.05 | 1.8 | 0.00 | May 30, 2024 | Statamic is a, Laravel + Git powered CMS designed for building websites. In affected versions users registering via the `user:register_form` tag will have their password confirmation stored in plain text in their user file. This only affects sites matching **all** of the… | ||
| CVE-2026-49288 | 0.00 | — | 0.00 | Jun 19, 2026 | Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other… | |||
| CVE-2019-25574 | 0.00 | — | 0.01 | Mar 21, 2026 | Green CMS 2.x contains a path traversal vulnerability that allows authenticated attackers to download arbitrary files and directories by injecting directory traversal sequences. Attackers can manipulate the theme_name parameter in the themeexporthandle action or supply… | |||
| CVE-2026-33177 | 0.00 | — | 0.00 | Mar 20, 2026 | Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions.… | |||
| CVE-2026-33172 | 0.00 | — | 0.00 | Mar 20, 2026 | Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that… | |||
| CVE-2026-33171 | 0.00 | — | 0.00 | Mar 20, 2026 | Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration… | |||
| CVE-2025-69246 | 0.00 | — | 0.00 | Mar 16, 2026 | Raytha CMS does not have any brute force protection mechanism implemented. It allows an attacker to send multiple automated logon requests without triggering lockout, throttling, or step-up challenges. This issue was fixed in version 1.4.6. | |||
| CVE-2025-69245 | 0.00 | — | 0.00 | Mar 16, 2026 | Raytha CMS is vulnerable to Reflected XSS via returnUrl parameter in logon functionality. An attacker can craft a malicious URL which, when opened by the authenticated victim, results in arbitrary JavaScript execution in the victim’s browser. This issue was fixed in 1.4.6. | |||
| CVE-2025-69243 | 0.00 | — | 0.00 | Mar 16, 2026 | Raytha CMS is vulnerable to User Enumeration in password reset functionality. Difference in messages could allow an attacker to determine if the login is valid or not, enabling a brute force attack with valid logins. This issue was fixed in version 1.5.0. | |||
| CVE-2026-32612 | 0.00 | — | 0.00 | Mar 12, 2026 | Statamic is a Laravel and Git powered content management system (CMS). Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user… | |||
| CVE-2026-28426 | 0.00 | — | 0.00 | Feb 27, 2026 | Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when… | |||
| CVE-2026-28425 | 0.00 | — | 0.00 | Feb 27, 2026 | Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full… | |||
| CVE-2026-28424 | 0.00 | — | 0.00 | Feb 27, 2026 | Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has… | |||
| CVE-2026-28423 | 0.00 | — | 0.00 | Feb 27, 2026 | Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP… |
- risk 0.27cvss 5.3epss 0.01
Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. The issue affects front-end forms with `assets`…
- risk 0.23cvss 3.5epss 0.00
A vulnerability was found in Qibo CMS 1.0. Affected by this vulnerability is an unknown functionality of the component Internal Message Module. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. The exploit has been made public and…
- risk 0.23cvss 3.5epss 0.00
A flaw has been found in YiFang CMS 2.0.5. This affects the function update of the file app/db/admin/D_singlePageGroup.php. Executing a manipulation of the argument Name can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been…
- risk 0.23cvss 3.5epss 0.00
A security vulnerability has been detected in YiFang CMS 2.0.5. The affected element is the function update of the file app/db/admin/D_friendLink.php. Such manipulation of the argument linkName leads to cross site scripting. The attack may be performed from remote. The exploit…
- risk 0.16cvss 2.4epss 0.00
A security flaw has been discovered in YiFang CMS up to 2.0.5. The impacted element is the function update of the file app/db/admin/D_adPosition.php of the component Extended Management Module. Performing a manipulation of the argument name/index results in cross site scripting.…
- risk 0.09cvss 2.4epss 0.00
A flaw has been found in MaxSite CMS up to 109.3. This vulnerability affects unknown code of the component down_count Plugin. This manipulation of the argument f_file/f_prefix causes cross site scripting. The attack may be initiated remotely. The exploit has been published and…
- risk 0.05cvss 1.8epss 0.00
Statamic is a, Laravel + Git powered CMS designed for building websites. In affected versions users registering via the `user:register_form` tag will have their password confirmation stored in plain text in their user file. This only affects sites matching **all** of the…
- CVE-2026-49288Jun 19, 2026risk 0.00cvss —epss 0.00
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other…
- CVE-2019-25574Mar 21, 2026risk 0.00cvss —epss 0.01
Green CMS 2.x contains a path traversal vulnerability that allows authenticated attackers to download arbitrary files and directories by injecting directory traversal sequences. Attackers can manipulate the theme_name parameter in the themeexporthandle action or supply…
- CVE-2026-33177Mar 20, 2026risk 0.00cvss —epss 0.00
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions.…
- CVE-2026-33172Mar 20, 2026risk 0.00cvss —epss 0.00
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that…
- CVE-2026-33171Mar 20, 2026risk 0.00cvss —epss 0.00
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration…
- CVE-2025-69246Mar 16, 2026risk 0.00cvss —epss 0.00
Raytha CMS does not have any brute force protection mechanism implemented. It allows an attacker to send multiple automated logon requests without triggering lockout, throttling, or step-up challenges. This issue was fixed in version 1.4.6.
- CVE-2025-69245Mar 16, 2026risk 0.00cvss —epss 0.00
Raytha CMS is vulnerable to Reflected XSS via returnUrl parameter in logon functionality. An attacker can craft a malicious URL which, when opened by the authenticated victim, results in arbitrary JavaScript execution in the victim’s browser. This issue was fixed in 1.4.6.
- CVE-2025-69243Mar 16, 2026risk 0.00cvss —epss 0.00
Raytha CMS is vulnerable to User Enumeration in password reset functionality. Difference in messages could allow an attacker to determine if the login is valid or not, enabling a brute force attack with valid logins. This issue was fixed in version 1.5.0.
- CVE-2026-32612Mar 12, 2026risk 0.00cvss —epss 0.00
Statamic is a Laravel and Git powered content management system (CMS). Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user…
- CVE-2026-28426Feb 27, 2026risk 0.00cvss —epss 0.00
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when…
- CVE-2026-28425Feb 27, 2026risk 0.00cvss —epss 0.00
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full…
- CVE-2026-28424Feb 27, 2026risk 0.00cvss —epss 0.00
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has…
- CVE-2026-28423Feb 27, 2026risk 0.00cvss —epss 0.00
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP…
Page 2 of 4