30 matches found
Remote Code Execution (RCE)
statamic/cms is vulnerable to Remote Code Execution RCE. The vulnerability is due to unsafe execution of user-controlled Antlers template content in Antlers-enabled inputs, which allows an attacker with authenticated control panel access to execute arbitrary code in the application context...
CVE-2026-33886
Statamic is a Laravel and Git powered content management system CMS. Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their...
CVE-2026-33886
Statamic is a Laravel and Git powered content management system CMS. Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their...
CVE-2026-33886
Statamic is a Laravel and Git powered content management system CMS. Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their...
CVE-2026-33886
Statamic CMS vulnerability CVE-2026-33886 affects Antlers-enabled content fields. A control panel user could access sensitive configuration values by inserting config variables into content in affected versions: 5.7.12 through 5.73.15 and 6.7.0 through 6.7.1. The issue is fixed in 5.73.16 and 6.7...
CVE-2026-33886 Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields
Statamic is a Laravel and Git powered content management system CMS. Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their...
CVE-2026-33886 Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields
Statamic is a Laravel and Git powered content management system CMS. Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their...
CVE-2026-33886 Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields
Statamic is a Laravel and Git powered content management system CMS. Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their...
Statamic 信息泄露漏洞
Statamic is a powerful flat-file CMS built using Laravel by Statamic Inc. It allows all content, templates, assets, and settings to be stored in files rather than in a database. Versions of Statamic 5.7.12 to 5.73.16, as well as 6.7.2, had an information leakage vulnerability. This vulnerability...
Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields
Impact A control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content. Patches This has been fixed in 5.73.16 and 6.7.2...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the Antlers-enabled fields. An attacker can obtain sensitive application configuration values by inserting configuration variables into content fields accessible to content editors. Remediation Upgrade...
GHSA-GCQF-5X9F-HQ7F Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields
Impact A control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content. Patches This has been fixed in 5.73.16 and 6.7.2...
PT-2026-28553
Name of the Vulnerable Software and Affected Versions Statamic versions 5.7.12 through 5.73.15 Statamic versions 6.7.0 through 6.7.1 Description A control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into...
CVE-2026-28425
Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the...
Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs
Impact An authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and...
Arbitrary Code Injection
Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the Antlers-enabled control panel inputs. An attacker can execute arbitrary code in the application context by submitting specially crafted content to fields. This can result in full compromise of the...
GHSA-CPV7-Q2WX-M8RW Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs
Impact An authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and...
CVE-2026-28425
Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the...
CVE-2026-28425 Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs
Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the...
CVE-2026-28425 Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs
Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the...