Security Advisories - statamic/cms

statamic/cms Security Advisories (13)

[HIGH] Statamic affected by privilege escalation via stored cross-site scripting

PKSA-vfrr-bp4n-314v CVE-2026-27196 GHSA-8r7r-f4gm-wcpq

Affected version: <5.73.9|>=6.0.0-alpha.1,<6.3.2

Reported by:
GitHub
[HIGH] Statamic CMS vulnerable to privilege escalation via stored cross-site scripting

PKSA-fst8-xgkz-31tn CVE-2026-25759 GHSA-ff9r-ww9c-43x8

Affected version: >=6.0.0,<6.2.3

Reported by:
GitHub
[MEDIUM] Statamic CMS's missing authorization allows access to assets

PKSA-nr63-r5tp-xby1 CVE-2026-25633 GHSA-gwmx-9gcj-332h

Affected version: >=6.0.0-alpha.1,<6.2.5|<5.73.6

Reported by:
GitHub
[HIGH] Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation

PKSA-mmp9-wb2h-d8gy CVE-2025-64112 GHSA-g59r-24g3-h7cm

Affected version: <=5.22.0

Reported by:
GitHub
[MEDIUM] Statamic CMS has a Path Traversal in Asset Upload

PKSA-8gf5-xvpy-gbms CVE-2024-52600 GHSA-p7f6-8mcm-fwv3

Affected version: <=5.16.0

Reported by:
GitHub
[LOW] Password confirmation stored in plain text via registration form in statamic/cms

PKSA-t5bn-h473-kjrn CVE-2024-36119 GHSA-qvpj-w7xj-r6w9

Affected version: >=5.3.0,<5.6.2

Reported by:
GitHub
[HIGH] Statmic CMS vulnerable to account takeover via XSS and password reset link

PKSA-8pw7-xndm-5j7f CVE-2024-24570 GHSA-vqxq-hvxw-9mv9

Affected version: <3.4.17|>=4.00,<4.46.0

Reported by:
GitHub
[HIGH] Cross-site Scripting via uploaded assets

PKSA-jwp2-xxh9-t8xp CVE-2023-48701 GHSA-8jjh-j3c2-cjcv

Affected version: >=4.0.0,<4.36.0|<3.4.15

Reported by:
GitHub
[HIGH] Statamic CMS vulnerable to remote code execution via form uploads

PKSA-8hch-61s9-d7gd CVE-2023-48217 GHSA-2r53-9295-3m86

Affected version: <3.4.14|>=4.0.0,<4.34.0

Reported by:
GitHub
[HIGH] Statamic CMS remote code execution via front-end form uploads

PKSA-tcb6-sf7c-j9gd CVE-2023-47129 GHSA-72hg-5wr5-rmfc

Affected version: <3.4.13|>=4.0.0,<4.33.0

Reported by:
GitHub
[MEDIUM] Statamic's Antlers sanitizer cannot effectively sanitize malicious SVG

PKSA-gfgd-dxd9-46qj CVE-2023-36828 GHSA-6r5g-cq4q-327g

Affected version: <4.10.0

Reported by:
GitHub
[HIGH] Statamic framework Incorrect Permission Assignment

PKSA-4tcv-4gx7-56hm CVE-2017-11422 GHSA-5m64-9hq5-5pf2

Affected version: <2.6.0

Reported by:
GitHub
[LOW] Discoverability of user password hash in Statamic CMS

PKSA-8nyw-p1dz-nqqq CVE-2022-24784 GHSA-qcgx-7p5f-hxvr

Affected version: >=3.3.0,<3.3.2|<3.2.39

Reported by:
GitHub

statamic/cms Security Advisories (13)

[HIGH] Statamic affected by privilege escalation via stored cross-site scripting

[HIGH] Statamic CMS vulnerable to privilege escalation via stored cross-site scripting

[MEDIUM] Statamic CMS's missing authorization allows access to assets

[HIGH] Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation

[MEDIUM] Statamic CMS has a Path Traversal in Asset Upload

[LOW] Password confirmation stored in plain text via registration form in statamic/cms

[HIGH] Statmic CMS vulnerable to account takeover via XSS and password reset link

[HIGH] Cross-site Scripting via uploaded assets

[HIGH] Statamic CMS vulnerable to remote code execution via form uploads

[HIGH] Statamic CMS remote code execution via front-end form uploads

[MEDIUM] Statamic's Antlers sanitizer cannot effectively sanitize malicious SVG

[HIGH] Statamic framework Incorrect Permission Assignment

[LOW] Discoverability of user password hash in Statamic CMS