statamic/cms Security Advisories for v6.6.3 (4)
-
[MEDIUM] Statamic is missing authorization check on taxonomy term creation via fieldtype
PKSA-ymb8-dx7z-7137 CVE-2026-33177 GHSA-wh3h-gvc4-cc2g
Affected version: <5.73.14|>=6.0.0-alpha.1,<6.7.0
Reported by:
GitHub -
[MEDIUM] Statamic has a path traversal in file dictionary fieldtype
PKSA-4mnq-vkqt-4wqf CVE-2026-33171 GHSA-qm7r-wwq7-6f85
Affected version: <5.73.14|>=6.0.0-alpha.1,<6.7.0
Reported by:
GitHub -
[HIGH] Statamic has Stored XSS via SVG Sanitization Bypass
PKSA-8wnz-z9p8-kd44 CVE-2026-33172 GHSA-7rcv-55mj-chg7
Affected version: <5.73.14|>=6.0.0-alpha.1,<6.7.0
Reported by:
GitHub -
[CRITICAL] Statamic is vulnerable to account takeover via password reset link injection
PKSA-w3y4-x9d3-9t28 CVE-2026-27593 GHSA-jxq9-79vj-rgvw
Affected version: >=6.0.0-alpha.1,<6.7.1|<5.73.10
Reported by:
GitHub