20 matches found
CVE-2026-33887
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the...
CVE-2026-33885
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions an...
CVE-2026-33884
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16...
CVE-2026-33886
Statamic is a Laravel and Git powered content management system CMS. Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their...
CVE-2026-33887 Statamic allows unauthorized content access through missing authorization in its revision controllers
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the...
CVE-2026-33887 Statamic allows unauthorized content access through missing authorization in its revision controllers
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the...
CVE-2026-33886 Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields
Statamic is a Laravel and Git powered content management system CMS. Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their...
CVE-2026-33885
Statamic Open Redirect (CVE-2026-33885): Affected versions before 5.73.16 and before 6.7.2 have an issue where external URL detection for redirect validation on unauthenticated endpoints could be bypassed via URL parsing differentials. Impact is redirects to external URLs after actions like form ...
CVE-2026-33885
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions an...
CVE-2026-33885 Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions an...
CVE-2026-33885 Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions an...
CVE-2026-33883
Overview: CVE-2026-33883 affects Statamic CMS (Laravel/Git-powered). Prior to versions 5.73.16 and 6.7.2, the tag user:reset_password_form could render user input directly into HTML without escaping, enabling a reflected XSS via a crafted URL that executes arbitrary JavaScript in a victim’s brows...
CVE-2026-33882
Statamic CMS vulnerability CVE-2026-33882 affects Statamic versions prior to 5.73.16 and 6.7.2. The issue lies in the markdown preview endpoint, which could be manipulated to return augmented data from arbitrary fieldtypes. In particular, the users fieldtype could be leveraged by an authenticated...
Statamic 跨站脚本漏洞
Statamic is a powerful flat-file CMS built using Laravel by Statamic Inc. It allows all content, templates, assets, and settings to be stored in files rather than in a database. Versions of Statamic 5.73.16 and earlier, as well as 6.7.2 and earlier, had a cross-site scripting vulnerability. This...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the revision controllers. An attacker can access entry revisions and view sensitive field values and blueprint data by bypassing authorization checks with authenticated Control Panel access. Users may also creat...
GHSA-GCQF-5X9F-HQ7F Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields
Impact A control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content. Patches This has been fixed in 5.73.16 and 6.7.2...
GHSA-8VWX-CCF6-5WG2 Statamic's live preview token bypasses content protection for unrelated entries
Impact An authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. Patches This has been fixed in 5.73.16 and 6.7.2...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the live preview. An attacker can gain unauthorized access to restricted content by using a valid live preview token intended for a different entry. Remediation Upgrade statamic/cms to version 5.73.16, 6.7.2 ...
GHSA-3JG4-P23X-P4QX Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag
Impact The user:resetpasswordform tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser. Patches This has been fixed in 5.73.16 and 6.7.2...
PT-2026-28549
Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.16 Statamic versions prior to 6.7.2 Description The markdown preview endpoint in Statamic could be manipulated to retrieve augmented data from arbitrary fieldtypes. Specifically, an authenticated control panel...