Vendor CVEs
Statamic
All CVEs
82 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-27593 | 0.00 | — | 0.00 | Feb 24, 2026 | Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email… | |||
| CVE-2026-27196 | 0.00 | — | 0.00 | Feb 21, 2026 | Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious… | |||
| CVE-2026-25759 | 0.00 | — | 0.00 | Feb 11, 2026 | Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by… | |||
| CVE-2026-25633 | 0.00 | — | 0.00 | Feb 11, 2026 | Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are… | |||
| CVE-2021-47753 | 0.00 | — | 0.01 | Jan 15, 2026 | phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and execute system commands through a crafted… | |||
| CVE-2022-50937 | 0.00 | — | 0.00 | Jan 13, 2026 | Ametys CMS v4.4.1 contains a persistent cross-site scripting vulnerability in the link directory's input fields for external links. Attackers can inject malicious script code in link text and descriptions to execute persistent attacks that compromise user sessions and manipulate… | |||
| CVE-2022-50936 | 0.00 | — | 0.01 | Jan 13, 2026 | WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute… | |||
| CVE-2022-50905 | 0.00 | — | 0.01 | Jan 13, 2026 | e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject… | |||
| CVE-2022-50895 | 0.00 | — | 0.01 | Jan 13, 2026 | Aero CMS 0.0.1 contains a SQL injection vulnerability in the author parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, time-based, and UNION query techniques to extract sensitive database information and potentially… | |||
| CVE-2025-67436 | 0.00 | — | 0.01 | Dec 22, 2025 | Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inject a malicious PHP webshell into a theme file (e.g., home.php). | |||
| CVE-2025-67443 | 0.00 | — | 0.00 | Dec 22, 2025 | Schlix CMS before v2.2.9-5 is vulnerable to Cross Site Scripting (XSS). Due to lack of javascript sanitization in the login form, incorrect login attempts in logs are triggered as XSS in the admin panel. | |||
| CVE-2023-53936 | 0.00 | — | 0.00 | Dec 18, 2025 | Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title,… | |||
| CVE-2023-53909 | 0.00 | — | 0.00 | Dec 17, 2025 | WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by uploading crafted SVG files through the media manager. Attackers can upload SVG files containing script tags to the… | |||
| CVE-2023-53901 | 0.00 | — | 0.00 | Dec 16, 2025 | WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to capture user keystrokes. Attackers can upload a crafted HTML file with CSS-based keylogging techniques to intercept password characters through background image… | |||
| CVE-2023-53891 | 0.00 | — | 0.00 | Dec 15, 2025 | Blackcat CMS 1.4 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into page content. Attackers can insert JavaScript payloads in the page modification interface that execute when other users view the compromised… | |||
| CVE-2023-53890 | 0.00 | — | 0.00 | Dec 15, 2025 | Perch CMS 3.2 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags that execute when the file is viewed, potentially stealing user session… | |||
| CVE-2023-53889 | 0.00 | — | 0.01 | Dec 15, 2025 | Perch CMS 3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload arbitrary PHP files through the assets management interface. Attackers can upload a malicious .phar file with embedded system command execution capabilities to execute… | |||
| CVE-2023-53884 | 0.00 | — | 0.00 | Dec 15, 2025 | Webedition CMS v2.9.8.8 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the media upload feature to inject and execute arbitrary scripts… | |||
| CVE-2024-32643 | 0.00 | — | 0.00 | Dec 3, 2025 | Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is fixed in 7.2.8, 7.3.13,… | |||
| CVE-2025-40661 | 0.00 | — | 0.00 | Jun 10, 2025 | An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the option parameter equal to 0, 1 or 2 in /administer/selectionnode/selection.asp. | |||
| CVE-2025-40658 | 0.00 | — | 0.00 | Jun 10, 2025 | An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the option parameter equal to 0, 1 or 2 in /administer/selectionnode/framesSelection.asp. | |||
| CVE-2025-5432 | 0.00 | — | 0.00 | Jun 2, 2025 | A vulnerability has been found in AssamLook CMS 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /view_tender.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit… | |||
| CVE-2025-5430 | 0.00 | — | 0.00 | Jun 2, 2025 | A vulnerability, which was classified as critical, has been found in AssamLook CMS 1.0. This issue affects some unknown processing of the file /product.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been… | |||
| CVE-2025-5381 | 0.00 | — | 0.01 | May 31, 2025 | A vulnerability, which was classified as problematic, was found in Yifang CMS up to 2.0.2. Affected is the function downloadFile of the file /api/File/downloadFile of the component Admin Panel. The manipulation of the argument File leads to path traversal. It is possible to… | |||
| CVE-2024-24570 | 0.00 | — | 0.01 | Feb 1, 2024 | Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the… | |||
| CVE-2023-48701 | 0.00 | — | 0.01 | Nov 21, 2023 | Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an… | |||
| CVE-2023-48217 | 0.00 | — | 0.01 | Nov 14, 2023 | Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and… | |||
| CVE-2023-47129 | 0.00 | — | 0.01 | Nov 10, 2023 | Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_… | |||
| CVE-2023-36828 | 0.00 | — | 0.01 | Jul 5, 2023 | Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the… | |||
| CVE-2022-24784 | 0.00 | — | 0.01 | Mar 25, 2022 | Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually… | |||
| CVE-2021-45364 | 0.00 | — | 0.02 | Feb 10, 2022 | A Code Execution vulnerability exists in Statamic Version through 3.2.26 via SettingsController.php. NOTE: the vendor indicates that there was an error in publishing this CVE Record, and that all parties agree that the affected code was not used in any Statamic product | |||
| CVE-2018-19598 | 0.00 | — | 0.01 | Dec 19, 2018 | Statamic 2.10.3 allows XSS via First Name or Last Name to the /users URI in an 'Add new user' request. |
- CVE-2026-27593Feb 24, 2026risk 0.00cvss —epss 0.00
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email…
- CVE-2026-27196Feb 21, 2026risk 0.00cvss —epss 0.00
Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious…
- CVE-2026-25759Feb 11, 2026risk 0.00cvss —epss 0.00
Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by…
- CVE-2026-25633Feb 11, 2026risk 0.00cvss —epss 0.00
Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are…
- CVE-2021-47753Jan 15, 2026risk 0.00cvss —epss 0.01
phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and execute system commands through a crafted…
- CVE-2022-50937Jan 13, 2026risk 0.00cvss —epss 0.00
Ametys CMS v4.4.1 contains a persistent cross-site scripting vulnerability in the link directory's input fields for external links. Attackers can inject malicious script code in link text and descriptions to execute persistent attacks that compromise user sessions and manipulate…
- CVE-2022-50936Jan 13, 2026risk 0.00cvss —epss 0.01
WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute…
- CVE-2022-50905Jan 13, 2026risk 0.00cvss —epss 0.01
e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject…
- CVE-2022-50895Jan 13, 2026risk 0.00cvss —epss 0.01
Aero CMS 0.0.1 contains a SQL injection vulnerability in the author parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, time-based, and UNION query techniques to extract sensitive database information and potentially…
- CVE-2025-67436Dec 22, 2025risk 0.00cvss —epss 0.01
Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inject a malicious PHP webshell into a theme file (e.g., home.php).
- CVE-2025-67443Dec 22, 2025risk 0.00cvss —epss 0.00
Schlix CMS before v2.2.9-5 is vulnerable to Cross Site Scripting (XSS). Due to lack of javascript sanitization in the login form, incorrect login attempts in logs are triggered as XSS in the admin panel.
- CVE-2023-53936Dec 18, 2025risk 0.00cvss —epss 0.00
Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title,…
- CVE-2023-53909Dec 17, 2025risk 0.00cvss —epss 0.00
WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by uploading crafted SVG files through the media manager. Attackers can upload SVG files containing script tags to the…
- CVE-2023-53901Dec 16, 2025risk 0.00cvss —epss 0.00
WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to capture user keystrokes. Attackers can upload a crafted HTML file with CSS-based keylogging techniques to intercept password characters through background image…
- CVE-2023-53891Dec 15, 2025risk 0.00cvss —epss 0.00
Blackcat CMS 1.4 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into page content. Attackers can insert JavaScript payloads in the page modification interface that execute when other users view the compromised…
- CVE-2023-53890Dec 15, 2025risk 0.00cvss —epss 0.00
Perch CMS 3.2 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags that execute when the file is viewed, potentially stealing user session…
- CVE-2023-53889Dec 15, 2025risk 0.00cvss —epss 0.01
Perch CMS 3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload arbitrary PHP files through the assets management interface. Attackers can upload a malicious .phar file with embedded system command execution capabilities to execute…
- CVE-2023-53884Dec 15, 2025risk 0.00cvss —epss 0.00
Webedition CMS v2.9.8.8 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the media upload feature to inject and execute arbitrary scripts…
- CVE-2024-32643Dec 3, 2025risk 0.00cvss —epss 0.00
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is fixed in 7.2.8, 7.3.13,…
- CVE-2025-40661Jun 10, 2025risk 0.00cvss —epss 0.00
An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the option parameter equal to 0, 1 or 2 in /administer/selectionnode/selection.asp.
- CVE-2025-40658Jun 10, 2025risk 0.00cvss —epss 0.00
An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the option parameter equal to 0, 1 or 2 in /administer/selectionnode/framesSelection.asp.
- CVE-2025-5432Jun 2, 2025risk 0.00cvss —epss 0.00
A vulnerability has been found in AssamLook CMS 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /view_tender.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit…
- CVE-2025-5430Jun 2, 2025risk 0.00cvss —epss 0.00
A vulnerability, which was classified as critical, has been found in AssamLook CMS 1.0. This issue affects some unknown processing of the file /product.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been…
- CVE-2025-5381May 31, 2025risk 0.00cvss —epss 0.01
A vulnerability, which was classified as problematic, was found in Yifang CMS up to 2.0.2. Affected is the function downloadFile of the file /api/File/downloadFile of the component Admin Panel. The manipulation of the argument File leads to path traversal. It is possible to…
- CVE-2024-24570Feb 1, 2024risk 0.00cvss —epss 0.01
Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the…
- CVE-2023-48701Nov 21, 2023risk 0.00cvss —epss 0.01
Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an…
- CVE-2023-48217Nov 14, 2023risk 0.00cvss —epss 0.01
Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and…
- CVE-2023-47129Nov 10, 2023risk 0.00cvss —epss 0.01
Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_…
- CVE-2023-36828Jul 5, 2023risk 0.00cvss —epss 0.01
Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the…
- CVE-2022-24784Mar 25, 2022risk 0.00cvss —epss 0.01
Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually…
- CVE-2021-45364Feb 10, 2022risk 0.00cvss —epss 0.02
A Code Execution vulnerability exists in Statamic Version through 3.2.26 via SettingsController.php. NOTE: the vendor indicates that there was an error in publishing this CVE Record, and that all parties agree that the affected code was not used in any Statamic product
- CVE-2018-19598Dec 19, 2018risk 0.00cvss —epss 0.01
Statamic 2.10.3 allows XSS via First Name or Last Name to the /users URI in an 'Add new user' request.
Page 2 of 2