47 matches found
CVE-2026-54244
Statamic CMS suffers an Incorrect Authorization issue in the Live Preview feature. Before versions 5.74.0 and 6.20.3, the Live Preview endpoint in src/Http/Controllers/CP/PreviewController.php only checked view permissions and could render caller-supplied field values. A Control Panel user with v...
CVE-2026-54244 Statamic: Incorrect authorization lets view-only users submit Live Preview content reserved for editors
Statamic is a Laravel and Git powered content management system CMS. Prior to 5.74.0 and 6.20.3, the Live Preview endpoint for existing entries and terms in src/Http/Controllers/CP/PreviewController.php only checked view authorization, but it accepts and renders caller-supplied field values. A...
GHSA-7MQQ-4V55-88GH Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors
Impact The Live Preview endpoint for existing entries and terms only checked view authorization, but it accepts and renders caller-supplied field values. A Control Panel user with view but not edit permission could therefore submit content they were not authorized to author and generate a shareab...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the Live Preview process. An attacker can submit unauthorized content and generate shareable preview URLs by leveraging insufficient permission checks. Remediation Upgrade statamic/cms to version 5.74.0, 6.20....
Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors
Impact The Live Preview endpoint for existing entries and terms only checked view authorization, but it accepts and renders caller-supplied field values. A Control Panel user with view but not edit permission could therefore submit content they were not authorized to author and generate a shareab...
PT-2026-53029
Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.74.0 Statamic versions prior to 6.20.3 Description The Live Preview endpoint for existing entries and terms in src/Http/Controllers/CP/PreviewController.php only verifies view authorization but accepts and renders...
Weblate: Stored HTML injection in editor search preview
Impact Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. Patches...
Microsoft Visual Studio Code Live Preview Extension < 0.4.19 Path Traversal (CVE-2026-41612)
The Microsoft Visual Studio Code Live Preview Extension installed on the remote host is prior to 0.4.19. It is, therefore, affected by a path traversal vulnerability: - Relative path traversal in Visual Studio Code allows an unauthorized attacker to disclose information locally. CVE-2026-41612 No...
CVE-2026-33884
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16...
CVE-2026-33884
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16...
CVE-2026-33884 Statamic's live preview token bypasses content protection for unrelated entries
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16...
CVE-2026-33884 Statamic's live preview token bypasses content protection for unrelated entries
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16...
CVE-2026-33884
CVE-2026-33884 affects Statamic CMS (Laravel/Git-based). An authenticated Control Panel user with access to live preview could misuse a live preview token to access restricted content not intended for that token. Root cause: token-based live preview access bypasses content protection for unrelate...
CVE-2026-33884
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16...
CVE-2026-33884 Statamic's live preview token bypasses content protection for unrelated entries
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the live preview. An attacker can gain unauthorized access to restricted content by using a valid live preview token intended for a different entry. Remediation Upgrade statamic/cms to version 5.73.16, 6.7.2 ...
GHSA-8VWX-CCF6-5WG2 Statamic's live preview token bypasses content protection for unrelated entries
Impact An authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. Patches This has been fixed in 5.73.16 and 6.7.2...
Statamic's live preview token bypasses content protection for unrelated entries
Impact An authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. Patches This has been fixed in 5.73.16 and 6.7.2...
PT-2026-28551
Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.16 Statamic versions prior to 6.7.2 Description An authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. Th...
Critical Flaws Found in Four VS Code Extensions with Over 125 Million Installs
Cybersecurity researchers have disclosed multiple security vulnerabilities in four popular Microsoft Visual Studio Code VS Code extensions that, if successfully exploited, could allow threat actors to steal local files and execute code remotely. The extensions, which have been collectively...