CVE-2026-33886

Statamic is a Laravel and Git powered content management system CMS. Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their...

CVE-2026-33884

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16...

CVE-2026-33885 Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions an...

CVE-2026-33882

Statamic CMS vulnerability CVE-2026-33882 affects Statamic versions prior to 5.73.16 and 6.7.2. The issue lies in the markdown preview endpoint, which could be manipulated to return augmented data from arbitrary fieldtypes. In particular, the users fieldtype could be leveraged by an authenticated...

Statamic 跨站脚本漏洞

Statamic is a powerful flat-file CMS built using Laravel by Statamic Inc. It allows all content, templates, assets, and settings to be stored in files rather than in a database. Versions of Statamic 5.73.16 and earlier, as well as 6.7.2 and earlier, had a cross-site scripting vulnerability. This...

GHSA-GCQF-5X9F-HQ7F Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields

Impact A control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content. Patches This has been fixed in 5.73.16 and 6.7.2...

GHSA-3JG4-P23X-P4QX Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag

Impact The user:resetpasswordform tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser. Patches This has been fixed in 5.73.16 and 6.7.2...

PT-2026-28549

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.16 Statamic versions prior to 6.7.2 Description The markdown preview endpoint in Statamic could be manipulated to retrieve augmented data from arbitrary fieldtypes. Specifically, an authenticated control panel...

Infinite loop

Overview pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Infinite loop in reader.py, when loading circular /Prev entries in cross-reference streams. An attacker can cause the application ...

CVE-2026-27628 pypdf has a possible infinite loop when loading circular /Prev entries in cross-reference streams

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.2, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file. This has been fixed in pypdf 6.7.2. As a workaround, one may apply the patch manually...

CVE-2026-27628 pypdf has a possible infinite loop when loading circular /Prev entries in cross-reference streams

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.2, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file. This has been fixed in pypdf 6.7.2. As a workaround, one may apply the patch manually...

pypdf 安全漏洞

pypdf is an open-source, free Python library for handling PDF files. It allows for splitting, merging, cropping, and converting pages within PDF files. Prior to version 6.7.2, pypdf had a security vulnerability due to a flaw in handling specially crafted PDF files, which could lead to infinite...

EUVD-2026-5024

ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting XSS vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in the database, and wh...

CVE-2026-24855 ChurchCRM has Stored Cross-Site Scripting (XSS) in Create Events in Church Calendar, Leading to Account Takeover

ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting XSS vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in the database, and wh...

EUVD-2026-5023

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint /PaddleNumEditor.php in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the PerID parameter. Version 6.7...

CVE-2026-24854

ChurchCRM prior to 6.7.2 is vulnerable to an authenticated SQL injection in PaddleNumEditor.php where the PerID parameter is concatenated into queries. The PoC and Red Hat/NVD entries confirm an injection that can affect multiple records and logic, with the fix incorporating explicit (int) castin...

CVE-2026-24854 Church CRM has SQL injection in PaddleNumEditor.php

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint /PaddleNumEditor.php in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the PerID parameter. Version 6.7...

ChurchCRM SQL注入漏洞

ChurchCRM is ChurchCRM open source an open source CRM system for churches. A SQL injection vulnerability exists in ChurchCRM versions prior to 6.7.2, which stems from the lack of validation of external input SQL statements in the PerID parameter in the /PaddleNumEditor.php endpoint. An attacker c...

EUVD-2025-18708

Malicious code in bioql PyPI...

EUVD-2024-34503

Malicious code in bioql PyPI...