Security Advisories - statamic/cms

statamic/cms Security Advisories for v5.73.10 (20)

[LOW] Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors

PKSA-9stt-y5w8-fn5y CVE-2026-54244 GHSA-7mqq-4v55-88gh

Affected version: >=6.0.0,<6.20.3|<5.74.0

Reported by:
GitHub
[MEDIUM] Statamic Vulnerable to CSV formula injection in form submission exports

PKSA-q7zp-ytbf-kmf9 CVE-2026-54243 GHSA-h77m-qrj7-jxcw

Affected version: <5.73.24|>=6.0.0,<6.20.1

Reported by:
GitHub
[MEDIUM] Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding)

PKSA-9vds-c3yh-rq22 CVE-2026-54242 GHSA-v5c4-wcpj-x73m

Affected version: >=6.0.0,<6.20.1|<5.73.24

Reported by:
GitHub
[HIGH] Statamic CMS's unsafe method invocation via collection sorting allows data destruction

PKSA-fhw5-pm86-31ff CVE-2026-49287 GHSA-m92m-r54r-x8r2

Affected version: >=6.0.0,<6.20.0|<5.73.23

Reported by:
GitHub
[MEDIUM] Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources

PKSA-ykrx-2shq-vs9n CVE-2026-49288 GHSA-2497-6pwj-pwg7

Affected version: >=6.0.0,<6.20.0|<5.73.23

Reported by:
GitHub
[MEDIUM] Statamic CMS: Server-Side Request Forgery via Glide

PKSA-7fht-jznj-7mgv CVE-2026-45660 GHSA-pf9c-ch8r-2958

Affected version: >=6.0.0-alpha.1,<6.18.1|<5.73.22

Reported by:
GitHub
[MEDIUM] Statamic CMS vulnerable to email enumeration via forgot password endpoint

PKSA-ynr1-y6st-8cwm CVE-2026-44306 GHSA-m24v-f7g5-gq67

Affected version: >=6.0.0,<6.15.0|<5.73.21

Reported by:
GitHub
[HIGH] Statamic: Unsafe method invocation via query value resolution allows data destruction

PKSA-yx2m-bjk3-fnky CVE-2026-41175 GHSA-4jjr-vmv7-wh4w

Affected version: >=6.0.0-alpha.1,<6.13.0|<5.73.20

Reported by:
GitHub
[MEDIUM] Statamic allows unauthorized content access through missing authorization in its revision controllers

PKSA-yd5q-tqxd-dxfr CVE-2026-33887 GHSA-4hp7-3wxg-cv9q

Affected version: >=6.0.0-alpha.1,<6.7.2|<5.73.16

Reported by:
GitHub
[MEDIUM] Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential

PKSA-3yh1-q236-qg5b CVE-2026-33885 GHSA-7f74-7q5w-hj4r

Affected version: >=6.0.0.alpha.1,<6.7.2|<5.73.16

Reported by:
GitHub
[MEDIUM] Statamic's live preview token bypasses content protection for unrelated entries

PKSA-tg1h-vfwx-wzp9 CVE-2026-33884 GHSA-8vwx-ccf6-5wg2

Affected version: >=6.0.0-alpha.1,<6.7.2|<5.73.16

Reported by:
GitHub
[MEDIUM] Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag

PKSA-ffqw-wkbr-m6bg CVE-2026-33883 GHSA-3jg4-p23x-p4qx

Affected version: >=6.0.0-alpha.1,<6.7.2|<5.73.16

Reported by:
GitHub
[MEDIUM] Statamic's Markdown preview endpoint exposes sensitive user data

PKSA-8f4x-d8sb-16sq CVE-2026-33882 GHSA-cvh3-23vq-w7h4

Affected version: >=6.0.0-alpha.1,<6.7.2|<5.73.16

Reported by:
GitHub
[MEDIUM] Statamic is missing authorization check on taxonomy term creation via fieldtype

PKSA-ymb8-dx7z-7137 CVE-2026-33177 GHSA-wh3h-gvc4-cc2g

Affected version: <5.73.14|>=6.0.0-alpha.1,<6.7.0

Reported by:
GitHub
[MEDIUM] Statamic has a path traversal in file dictionary fieldtype

PKSA-4mnq-vkqt-4wqf CVE-2026-33171 GHSA-qm7r-wwq7-6f85

Affected version: <5.73.14|>=6.0.0-alpha.1,<6.7.0

Reported by:
GitHub
[HIGH] Statamic has Stored XSS via SVG Sanitization Bypass

PKSA-8wnz-z9p8-kd44 CVE-2026-33172 GHSA-7rcv-55mj-chg7

Affected version: <5.73.14|>=6.0.0-alpha.1,<6.7.0

Reported by:
GitHub
[HIGH] Statamic vulnerable to privilege escalation via stored cross-site scripting

PKSA-81wb-3yhb-txs4 CVE-2026-28426 GHSA-5vrj-wf7v-5wr7

Affected version: >=6.0.0-alpha.1,<6.4.0|<5.73.11

Reported by:
GitHub
[HIGH] Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs

PKSA-skzr-by55-tmc5 CVE-2026-28425 GHSA-cpv7-q2wx-m8rw

Affected version: >=6.0.0-alpha.1,<6.7.2|<5.73.16

Reported by:
GitHub
[MEDIUM] Statamic's missing authorization allows access to email addresses

PKSA-hycr-3628-cp88 CVE-2026-28424 GHSA-w878-f8c6-7r63

Affected version: >=6.0.0-alpha.1,<6.4.0|<5.73.11

Reported by:
GitHub
[MEDIUM] Statamic Vulnerable to Server-Side Request Forgery via Glide

PKSA-n7ys-rxzm-bn18 CVE-2026-28423 GHSA-cwpp-325q-2cvp

Affected version: >=6.0.0-alpha.1,<6.4.0|<5.73.11

Reported by:
GitHub

statamic/cms Security Advisories for v5.73.10 (20)

[LOW] Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors

[MEDIUM] Statamic Vulnerable to CSV formula injection in form submission exports

[MEDIUM] Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding)

[HIGH] Statamic CMS's unsafe method invocation via collection sorting allows data destruction

[MEDIUM] Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources

[MEDIUM] Statamic CMS: Server-Side Request Forgery via Glide

[MEDIUM] Statamic CMS vulnerable to email enumeration via forgot password endpoint

[HIGH] Statamic: Unsafe method invocation via query value resolution allows data destruction

[MEDIUM] Statamic allows unauthorized content access through missing authorization in its revision controllers

[MEDIUM] Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential

[MEDIUM] Statamic's live preview token bypasses content protection for unrelated entries

[MEDIUM] Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag

[MEDIUM] Statamic's Markdown preview endpoint exposes sensitive user data

[MEDIUM] Statamic is missing authorization check on taxonomy term creation via fieldtype

[MEDIUM] Statamic has a path traversal in file dictionary fieldtype

[HIGH] Statamic has Stored XSS via SVG Sanitization Bypass

[HIGH] Statamic vulnerable to privilege escalation via stored cross-site scripting

[HIGH] Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs

[MEDIUM] Statamic's missing authorization allows access to email addresses

[MEDIUM] Statamic Vulnerable to Server-Side Request Forgery via Glide