CVE-2026-28423

MEDIUM6.8EPSS 0.03%

Statamic Vulnerable to Server-Side Request Forgery via Glide

Published: 3/1/2026Modified: 3/4/2026

Description

### Impact When Glide image manipulation is used in insecure mode (which is *not* the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. ## Patches This has been fixed in 5.73.11 and 6.4.0.

Affected packages (1)

Packagist/statamic/cmsfrom 0, < 5.73.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-28423
PATCHhttps://github.com/statamic/cms
WEBhttps://github.com/statamic/cms/releases/tag/v5.73.11
WEBhttps://github.com/statamic/cms/releases/tag/v6.4.0
WEBhttps://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp