CVE-2026-33885

MEDIUM6.1EPSS 0.05%

Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential

Published: 3/26/2026Modified: 3/27/2026

Description

### Impact The external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. ### Patches This has been fixed in 5.73.16 and 6.7.2.

Affected packages (1)

Packagist/statamic/cmsfrom 0, < 5.73.16

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-33885
PATCHhttps://github.com/statamic/cms
WEBhttps://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r