statamic/cms Security Advisories (30)
-
[HIGH] Statamic: Unsafe method invocation via query value resolution allows data destruction
PKSA-yx2m-bjk3-fnky CVE-2026-41175 GHSA-4jjr-vmv7-wh4w
Affected version: >=6.0.0-alpha.1,<6.13.0|<5.73.20
Reported by:
GitHub -
[MEDIUM] Statamic allows unauthorized content access through missing authorization in its revision controllers
PKSA-yd5q-tqxd-dxfr CVE-2026-33887 GHSA-4hp7-3wxg-cv9q
Affected version: >=6.0.0-alpha.1,<6.7.2|<5.73.16
Reported by:
GitHub -
[MEDIUM] Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields
PKSA-74j5-mc2z-3jj1 CVE-2026-33886 GHSA-gcqf-5x9f-hq7f
Affected version: >=6.5.0,<6.7.2|>=5.73.12,<5.73.16
Reported by:
GitHub -
[MEDIUM] Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential
PKSA-3yh1-q236-qg5b CVE-2026-33885 GHSA-7f74-7q5w-hj4r
Affected version: >=6.0.0.alpha.1,<6.7.2|<5.73.16
Reported by:
GitHub -
[MEDIUM] Statamic's live preview token bypasses content protection for unrelated entries
PKSA-tg1h-vfwx-wzp9 CVE-2026-33884 GHSA-8vwx-ccf6-5wg2
Affected version: >=6.0.0-alpha.1,<6.7.2|<5.73.16
Reported by:
GitHub -
[MEDIUM] Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag
PKSA-ffqw-wkbr-m6bg CVE-2026-33883 GHSA-3jg4-p23x-p4qx
Affected version: >=6.0.0-alpha.1,<6.7.2|<5.73.16
Reported by:
GitHub -
[MEDIUM] Statamic's Markdown preview endpoint exposes sensitive user data
PKSA-8f4x-d8sb-16sq CVE-2026-33882 GHSA-cvh3-23vq-w7h4
Affected version: >=6.0.0-alpha.1,<6.7.2|<5.73.16
Reported by:
GitHub -
[MEDIUM] Statamic is missing authorization check on taxonomy term creation via fieldtype
PKSA-ymb8-dx7z-7137 CVE-2026-33177 GHSA-wh3h-gvc4-cc2g
Affected version: <5.73.14|>=6.0.0-alpha.1,<6.7.0
Reported by:
GitHub -
[MEDIUM] Statamic has a path traversal in file dictionary fieldtype
PKSA-4mnq-vkqt-4wqf CVE-2026-33171 GHSA-qm7r-wwq7-6f85
Affected version: <5.73.14|>=6.0.0-alpha.1,<6.7.0
Reported by:
GitHub -
[HIGH] Statamic has Stored XSS via SVG Sanitization Bypass
PKSA-8wnz-z9p8-kd44 CVE-2026-33172 GHSA-7rcv-55mj-chg7
Affected version: <5.73.14|>=6.0.0-alpha.1,<6.7.0
Reported by:
GitHub -
[MEDIUM] Statamic vulnerable to privilege escalation via stored cross-site scripting
PKSA-thnk-qh3m-ttzb CVE-2026-32612 GHSA-hcch-w73c-jp4m
Affected version: >=6.0.0,<6.6.2
Reported by:
GitHub -
[HIGH] Statamic vulnerable to privilege escalation via stored cross-site scripting
PKSA-81wb-3yhb-txs4 CVE-2026-28426 GHSA-5vrj-wf7v-5wr7
Affected version: >=6.0.0-alpha.1,<6.4.0|<5.73.11
Reported by:
GitHub -
[HIGH] Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs
PKSA-skzr-by55-tmc5 CVE-2026-28425 GHSA-cpv7-q2wx-m8rw
Affected version: >=6.0.0-alpha.1,<6.7.2|<5.73.16
Reported by:
GitHub -
[MEDIUM] Statamic's missing authorization allows access to email addresses
PKSA-hycr-3628-cp88 CVE-2026-28424 GHSA-w878-f8c6-7r63
Affected version: >=6.0.0-alpha.1,<6.4.0|<5.73.11
Reported by:
GitHub -
[MEDIUM] Statamic Vulnerable to Server-Side Request Forgery via Glide
PKSA-n7ys-rxzm-bn18 CVE-2026-28423 GHSA-cwpp-325q-2cvp
Affected version: >=6.0.0-alpha.1,<6.4.0|<5.73.11
Reported by:
GitHub -
[HIGH] Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass
PKSA-7n8y-6n2j-9v3z CVE-2026-27939 GHSA-rw9x-pxqx-q789
Affected version: >=6.0.0,<6.4.0
Reported by:
GitHub -
[CRITICAL] Statamic is vulnerable to account takeover via password reset link injection
PKSA-w3y4-x9d3-9t28 CVE-2026-27593 GHSA-jxq9-79vj-rgvw
Affected version: >=6.0.0-alpha.1,<6.7.1|<5.73.10
Reported by:
GitHub -
[HIGH] Statamic affected by privilege escalation via stored cross-site scripting
PKSA-vfrr-bp4n-314v CVE-2026-27196 GHSA-8r7r-f4gm-wcpq
Affected version: <5.73.9|>=6.0.0-alpha.1,<6.3.2
Reported by:
GitHub -
[HIGH] Statamic CMS vulnerable to privilege escalation via stored cross-site scripting
PKSA-fst8-xgkz-31tn CVE-2026-25759 GHSA-ff9r-ww9c-43x8
Affected version: >=6.0.0,<6.2.3
Reported by:
GitHub -
[MEDIUM] Statamic CMS's missing authorization allows access to assets
PKSA-nr63-r5tp-xby1 CVE-2026-25633 GHSA-gwmx-9gcj-332h
Affected version: >=6.0.0-alpha.1,<6.2.5|<5.73.6
Reported by:
GitHub -
[HIGH] Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation
PKSA-mmp9-wb2h-d8gy CVE-2025-64112 GHSA-g59r-24g3-h7cm
Affected version: <=5.22.0
Reported by:
GitHub -
[MEDIUM] Statamic CMS has a Path Traversal in Asset Upload
PKSA-8gf5-xvpy-gbms CVE-2024-52600 GHSA-p7f6-8mcm-fwv3
Affected version: <=5.16.0
Reported by:
GitHub -
[LOW] Password confirmation stored in plain text via registration form in statamic/cms
PKSA-t5bn-h473-kjrn CVE-2024-36119 GHSA-qvpj-w7xj-r6w9
Affected version: >=5.3.0,<5.6.2
Reported by:
GitHub -
[HIGH] Statmic CMS vulnerable to account takeover via XSS and password reset link
PKSA-8pw7-xndm-5j7f CVE-2024-24570 GHSA-vqxq-hvxw-9mv9
Affected version: <3.4.17|>=4.00,<4.46.0
Reported by:
GitHub -
[HIGH] Cross-site Scripting via uploaded assets
PKSA-jwp2-xxh9-t8xp CVE-2023-48701 GHSA-8jjh-j3c2-cjcv
Affected version: >=4.0.0,<4.36.0|<3.4.15
Reported by:
GitHub -
[HIGH] Statamic CMS vulnerable to remote code execution via form uploads
PKSA-8hch-61s9-d7gd CVE-2023-48217 GHSA-2r53-9295-3m86
Affected version: <3.4.14|>=4.0.0,<4.34.0
Reported by:
GitHub -
[HIGH] Statamic CMS remote code execution via front-end form uploads
PKSA-tcb6-sf7c-j9gd CVE-2023-47129 GHSA-72hg-5wr5-rmfc
Affected version: <3.4.13|>=4.0.0,<4.33.0
Reported by:
GitHub -
[MEDIUM] Statamic's Antlers sanitizer cannot effectively sanitize malicious SVG
PKSA-gfgd-dxd9-46qj CVE-2023-36828 GHSA-6r5g-cq4q-327g
Affected version: <4.10.0
Reported by:
GitHub -
[HIGH] Statamic framework Incorrect Permission Assignment
PKSA-4tcv-4gx7-56hm CVE-2017-11422 GHSA-5m64-9hq5-5pf2
Affected version: <2.6.0
Reported by:
GitHub -
[LOW] Discoverability of user password hash in Statamic CMS
PKSA-8nyw-p1dz-nqqq CVE-2022-24784 GHSA-qcgx-7p5f-hxvr
Affected version: >=3.3.0,<3.3.2|<3.2.39
Reported by:
GitHub