CVE-2026-28423

MEDIUM6.8EPSS 0.03%

Statamic Vulnerable to Server-Side Request Forgery via Glide

發布日:2026/3/1修改日:2026/3/4

描述

### Impact When Glide image manipulation is used in insecure mode (which is *not* the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. ## Patches This has been fixed in 5.73.11 and 6.4.0.

受影響套件(1)

Packagist/statamic/cmsfrom 0, < 5.73.11

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-28423
PATCHhttps://github.com/statamic/cms
WEBhttps://github.com/statamic/cms/releases/tag/v5.73.11
WEBhttps://github.com/statamic/cms/releases/tag/v6.4.0
WEBhttps://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp