Security Advisories - statamic/cms

statamic/cms Security Advisories for v5.6.0 (13)

[MEDIUM] Statamic is missing authorization check on taxonomy term creation via fieldtype

PKSA-ymb8-dx7z-7137 CVE-2026-33177 GHSA-wh3h-gvc4-cc2g

Affected version: <5.73.14|>=6.0.0-alpha.1,<6.7.0

Reported by:
GitHub
[MEDIUM] Statamic has a path traversal in file dictionary fieldtype

PKSA-4mnq-vkqt-4wqf CVE-2026-33171 GHSA-qm7r-wwq7-6f85

Affected version: <5.73.14|>=6.0.0-alpha.1,<6.7.0

Reported by:
GitHub
[HIGH] Statamic has Stored XSS via SVG Sanitization Bypass

PKSA-8wnz-z9p8-kd44 CVE-2026-33172 GHSA-7rcv-55mj-chg7

Affected version: <5.73.14|>=6.0.0-alpha.1,<6.7.0

Reported by:
GitHub
[HIGH] Statamic vulnerable to privilege escalation via stored cross-site scripting

PKSA-81wb-3yhb-txs4 CVE-2026-28426 GHSA-5vrj-wf7v-5wr7

Affected version: >=6.0.0-alpha.1,<6.4.0|<5.73.11

Reported by:
GitHub
[HIGH] Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs

PKSA-skzr-by55-tmc5 CVE-2026-28425 GHSA-cpv7-q2wx-m8rw

Affected version: >=6.0.0-alpha.1,<6.4.0|<5.73.11

Reported by:
GitHub
[MEDIUM] Statamic's missing authorization allows access to email addresses

PKSA-hycr-3628-cp88 CVE-2026-28424 GHSA-w878-f8c6-7r63

Affected version: >=6.0.0-alpha.1,<6.4.0|<5.73.11

Reported by:
GitHub
[MEDIUM] Statamic Vulnerable to Server-Side Request Forgery via Glide

PKSA-n7ys-rxzm-bn18 CVE-2026-28423 GHSA-cwpp-325q-2cvp

Affected version: >=6.0.0-alpha.1,<6.4.0|<5.73.11

Reported by:
GitHub
[CRITICAL] Statamic is vulnerable to account takeover via password reset link injection

PKSA-w3y4-x9d3-9t28 CVE-2026-27593 GHSA-jxq9-79vj-rgvw

Affected version: >=6.0.0-alpha.1,<6.7.1|<5.73.10

Reported by:
GitHub
[HIGH] Statamic affected by privilege escalation via stored cross-site scripting

PKSA-vfrr-bp4n-314v CVE-2026-27196 GHSA-8r7r-f4gm-wcpq

Affected version: <5.73.9|>=6.0.0-alpha.1,<6.3.2

Reported by:
GitHub
[MEDIUM] Statamic CMS's missing authorization allows access to assets

PKSA-nr63-r5tp-xby1 CVE-2026-25633 GHSA-gwmx-9gcj-332h

Affected version: >=6.0.0-alpha.1,<6.2.5|<5.73.6

Reported by:
GitHub
[HIGH] Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation

PKSA-mmp9-wb2h-d8gy CVE-2025-64112 GHSA-g59r-24g3-h7cm

Affected version: <=5.22.0

Reported by:
GitHub
[MEDIUM] Statamic CMS has a Path Traversal in Asset Upload

PKSA-8gf5-xvpy-gbms CVE-2024-52600 GHSA-p7f6-8mcm-fwv3

Affected version: <=5.16.0

Reported by:
GitHub
[LOW] Password confirmation stored in plain text via registration form in statamic/cms

PKSA-t5bn-h473-kjrn CVE-2024-36119 GHSA-qvpj-w7xj-r6w9

Affected version: >=5.3.0,<5.6.2

Reported by:
GitHub

statamic/cms Security Advisories for v5.6.0 (13)

[MEDIUM] Statamic is missing authorization check on taxonomy term creation via fieldtype

[MEDIUM] Statamic has a path traversal in file dictionary fieldtype

[HIGH] Statamic has Stored XSS via SVG Sanitization Bypass

[HIGH] Statamic vulnerable to privilege escalation via stored cross-site scripting

[HIGH] Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs

[MEDIUM] Statamic's missing authorization allows access to email addresses

[MEDIUM] Statamic Vulnerable to Server-Side Request Forgery via Glide

[CRITICAL] Statamic is vulnerable to account takeover via password reset link injection

[HIGH] Statamic affected by privilege escalation via stored cross-site scripting

[MEDIUM] Statamic CMS's missing authorization allows access to assets

[HIGH] Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation

[MEDIUM] Statamic CMS has a Path Traversal in Asset Upload

[LOW] Password confirmation stored in plain text via registration form in statamic/cms