statamic/cms Security Advisories for v3.4.3 (7)
-
[HIGH] Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation
PKSA-mmp9-wb2h-d8gy CVE-2025-64112 GHSA-g59r-24g3-h7cm
Affected version: <=5.22.0
Reported by:
GitHub -
[MEDIUM] Statamic CMS has a Path Traversal in Asset Upload
PKSA-8gf5-xvpy-gbms CVE-2024-52600 GHSA-p7f6-8mcm-fwv3
Affected version: <=5.16.0
Reported by:
GitHub -
[HIGH] Statmic CMS vulnerable to account takeover via XSS and password reset link
PKSA-8pw7-xndm-5j7f CVE-2024-24570 GHSA-vqxq-hvxw-9mv9
Affected version: <3.4.17|>=4.00,<4.46.0
Reported by:
GitHub -
[HIGH] Cross-site Scripting via uploaded assets
PKSA-jwp2-xxh9-t8xp CVE-2023-48701 GHSA-8jjh-j3c2-cjcv
Affected version: >=4.0.0,<4.36.0|<3.4.15
Reported by:
GitHub -
[HIGH] Statamic CMS vulnerable to remote code execution via form uploads
PKSA-8hch-61s9-d7gd CVE-2023-48217 GHSA-2r53-9295-3m86
Affected version: <3.4.14|>=4.0.0,<4.34.0
Reported by:
GitHub -
[HIGH] Statamic CMS remote code execution via front-end form uploads
PKSA-tcb6-sf7c-j9gd CVE-2023-47129 GHSA-72hg-5wr5-rmfc
Affected version: <3.4.13|>=4.0.0,<4.33.0
Reported by:
GitHub -
[MEDIUM] Statamic's Antlers sanitizer cannot effectively sanitize malicious SVG
PKSA-gfgd-dxd9-46qj CVE-2023-36828 GHSA-6r5g-cq4q-327g
Affected version: <4.10.0
Reported by:
GitHub