343 matches found
Statamic 安全漏洞
Statamic is a powerful flat-file CMS built using Laravel by Statamic Inc. It allows all content, templates, assets, and settings to be stored in files rather than in a database. Versions of Statamic 5.73.14 and earlier, as well as 6.7.0, contained security vulnerabilities. These vulnerabilities...
Statamic 跨站脚本漏洞
Statamic is a powerful flat-file CMS built using Laravel by Statamic Inc. It allows all content, templates, assets, and settings to be stored in files rather than in a database. Versions of Statamic 5.73.14 and earlier, as well as 6.7.0 and earlier, had a cross-site scripting vulnerability. This...
GHSA-WH3H-GVC4-CC2G Statamic is missing authorization check on taxonomy term creation via fieldtype
Impact Low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. Patches This has been...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the field action processing endpoint. An attacker can bypass intended authorization restrictions by submitting crafted requests with attacker-controlled field definitions. Remediation Upgrade statamic/cms to...
Statamic is missing authorization check on taxonomy term creation via fieldtype
Impact Low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. Patches This has been...
GHSA-7RCV-55MJ-CHG7 Statamic has Stored XSS via SVG Sanitization Bypass
Impact Stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. Patches This has been fixed in 5.73.14 and 6.7.0...
GHSA-HCCH-W73C-JP4M Statamic vulnerable to privilege escalation via stored cross-site scripting
Impact Stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. Patches This has been fixed in 6.6.2...
EUVD-2026-11732
Statamic vulnerable to privilege escalation via stored cross-site scripting...
Statamic vulnerable to privilege escalation via stored cross-site scripting
Impact Stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. Patches This has been fixed in 6.6.2...
CVE-2026-32612
Statamic is a Laravel and Git powered content management system CMS. Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. Th...
Statamic 跨站脚本漏洞
Statamic is a powerful flat-file CMS built using Laravel by Statamic Inc. It allows for storing all content, templates, assets, and settings in files rather than in a database. Versions of Statamic prior to 6.6.2 had a cross-site scripting vulnerability. This vulnerability stemmed from a...
CVE-2026-32612
Statamic is a Laravel and Git powered content management system CMS. Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. Th...
CVE-2026-32612 Statamic: privilege escalation via stored cross-site scripting
Statamic is a Laravel and Git powered content management system CMS. Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. Th...
CVE-2026-32612 Statamic: privilege escalation via stored cross-site scripting
Statamic is a Laravel and Git powered content management system CMS. Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. Th...
CVE-2026-32612 Statamic: privilege escalation via stored cross-site scripting
Statamic is a Laravel and Git powered content management system CMS. Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. Th...
Exploit for CVE-2026-32612
Security Advisories Independent vulnerability disclosures and...
CVE-2026-27939
Statmatic is a Laravel and Git powered content management system CMS. Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensiti...
CVE-2026-28424
Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 a...
CVE-2026-28425
Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the...
Statamic vulnerable to privilege escalation via stored cross-site scripting
Impact Stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Patches This has been fixed in 5.73.11 and 6.4.0...