CVE-2026-33882

MEDIUM6.5EPSS 0.11%

Statamic's Markdown preview endpoint exposes sensitive user data

Published: 3/26/2026Modified: 3/27/2026

Description

### Impact The markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes. ### Patches This has been fixed in 5.73.16 and 6.7.2.

Affected packages (1)

Packagist/statamic/cmsfrom 0, < 5.73.16

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-33882
PATCHhttps://github.com/statamic/cms
WEBhttps://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4