pkg:Packagist/statamic/cms

All known vulnerabilities

• CRITICAL9.3CVE-2026-27593Statamic is vulnerable to account takeover via password reset link injection
  from 0, < 5.73.10
• HIGH8.8CVE-2026-27939Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass
  >= 6.0.0, < 6.4.0
• HIGH8.8CVE-2023-48217Statamic CMS vulnerable to remote code execution via form uploads
  >= 4.0.0, < 4.34.0
• HIGH8.8CVE-2017-11422Statamic framework Incorrect Permission Assignment
  from 0, < 2.6.0
• HIGH8.7CVE-2026-33172Statamic has Stored XSS via SVG Sanitization Bypass
  >= 6.0.0-alpha.1, < 6.7.0
• HIGH8.7CVE-2026-28426Statamic vulnerable to privilege escalation via stored cross-site scripting
  from 0, < 5.73.11
• HIGH8.7CVE-2026-25759Statamic CMS vulnerable to privilege escalation via stored cross-site scripting
  >= 6.0.0, < 6.2.3
• HIGH8.3CVE-2023-47129Statamic CMS remote code execution via front-end form uploads
  >= 4.0.0, < 4.33.0
• HIGH8.2CVE-2024-24570Statmic CMS vulnerable to account takeover via XSS and password reset link
  >= 4.00, < 4.46.0
• HIGH8.1CVE-2026-41175Statamic: Unsafe method invocation via query value resolution allows data destruction
  from 0, < 5.73.20
• HIGH8.1CVE-2026-27196Statamic affected by privilege escalation via stored cross-site scripting
  >= 6.0.0-alpha.1, < 6.3.2
• HIGH8.0CVE-2026-28425Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs
  from 0, < 5.73.16
• HIGH8.0CVE-2025-64112Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation
  from 0, < 5.22.1
• HIGH7.5CVE-2023-48701Cross-site Scripting via uploaded assets
  from 0, < 3.4.15
• MEDIUM6.8CVE-2026-28423Statamic Vulnerable to Server-Side Request Forgery via Glide
  from 0, < 5.73.11
• MEDIUM6.5CVE-2026-33886Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields
  >= 5.73.12, < 5.73.16
• MEDIUM6.5CVE-2026-33882Statamic's Markdown preview endpoint exposes sensitive user data
  from 0, < 5.73.16
• MEDIUM6.5CVE-2026-28424Statamic's missing authorization allows access to email addresses
  from 0, < 5.73.11
• MEDIUM6.1CVE-2026-33885Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential
  from 0, < 5.73.16
• MEDIUM6.1CVE-2026-33883Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag
  from 0, < 5.73.16
• MEDIUM5.5CVE-2023-36828Statamic's Antlers sanitizer cannot effectively sanitize malicious SVG
  from 0, < 4.10.0
• MEDIUM5.4CVE-2026-45660Statamic CMS: Server-Side Request Forgery via Glide
  from 0, < 5.73.22
• MEDIUM5.4CVE-2026-33887Statamic allows unauthorized content access through missing authorization in its revision controllers
  from 0, < 5.73.16
• MEDIUM5.4CVE-2026-32612Statamic vulnerable to privilege escalation via stored cross-site scripting
  >= 6.0.0, < 6.6.2
• MEDIUM5.3CVE-2026-44306Statamic CMS vulnerable to email enumeration via forgot password endpoint
  from 0, < 5.73.21
• MEDIUM5.3CVE-2024-52600Statamic CMS has a Path Traversal in Asset Upload
  from 0, < 5.17.0
• MEDIUM4.3CVE-2026-33884Statamic's live preview token bypasses content protection for unrelated entries
  from 0, < 5.73.16
• MEDIUM4.3CVE-2026-33177Statamic is missing authorization check on taxonomy term creation via fieldtype
  >= 6.0.0-alpha.1, < 6.7.0
• MEDIUM4.3CVE-2026-33171Statamic has a path traversal in file dictionary fieldtype
  >= 6.0.0-alpha.1, < 6.7.0
• MEDIUM4.3CVE-2026-25633Statamic CMS's missing authorization allows access to assets
  from 0, < 5.73.6
• LOW3.7CVE-2022-24784Discoverability of user password hash in Statamic CMS
  from 0, < 3.2.39
• LOW1.8CVE-2024-36119Password confirmation stored in plain text via registration form in statamic/cms
  >= 5.3.0, < 5.6.2