statamic/cms
Packagist20 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting statamic/cmspage 1 of 1
- CVE-2017-11422HIGHCVSS 8.8EG 8.8✓ Fixed in 2.6.02017-07-24
Statamic framework before 2.6.0 does not correctly check a session's permissions when the methods from a user's class are called. Problematic methods include reset password, create new account, create new role, etc.
- CVE-2022-24784LOWCVSS 3.7EG 3.7✓ Fixed in 3.3.22022-03-25
vulnerable: v3.3.0, v3.3.1
Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. …
- CVE-2023-36828MEDIUMCVSS 5.5EG 5.5✓ Fixed in 4.10.02023-07-05
vulnerable: v3.0.0 ... v4.9.2 (300 versions)
Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attack…
- CVE-2023-47129HIGHCVSS 8.3EG 8.3✓ Fixed in 3.4.132023-11-10
vulnerable: v3.0.0 ... v3.4.9 (271 versions)
Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using …
- CVE-2023-48217HIGHCVSS 8.8EG 8.8✓ Fixed in 3.4.142023-11-14
vulnerable: v3.0.0 ... v3.4.9 (272 versions)
Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-…
- CVE-2023-48701HIGHCVSS 7.5EG 7.5✓ Fixed in 4.36.02023-11-21
vulnerable: v4.0.0 ... v4.9.2 (48 versions)
Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms…
- CVE-2024-24570HIGHCVSS 8.2EG 8.2✓ Fixed in 3.4.172024-02-01
vulnerable: v3.0.0 ... v3.4.9 (275 versions)
Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the contro…
- CVE-2024-36119LOWCVSS 1.8EG 1.8✓ Fixed in 5.6.22024-05-30
vulnerable: v5.3.0, v5.4.0, v5.5.0, v5.6.0, v5.6.1
Statamic is a, Laravel + Git powered CMS designed for building websites. In affected versions users registering via the `user:register_form` tag will have their password confirmation stored in plain text in their user file. This only affec…
- CVE-2024-52600MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.17.02024-11-19
vulnerable: v3.0.0 ... v5.9.0 (400 versions)
Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. The iss…
- CVE-2025-64112HIGHCVSS 8.0EG 8.0✓ Fixed in 5.22.12025-10-30
vulnerable: v3.0.0 ... v5.9.0 (407 versions)
Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when …
- CVE-2026-25633MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.73.62026-02-11
vulnerable: v3.0.0 ... v5.9.0 (478 versions)
Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without perm…
- CVE-2026-25759HIGHCVSS 8.7EG 8.7✓ Fixed in 6.2.32026-02-11
vulnerable: v6.0.0, v6.1.0, v6.2.0, v6.2.1, v6.2.2
Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript th…
- CVE-2026-33882MEDIUMCVSS 6.5EG 6.5✓ Fixed in 6.7.22026-03-27
vulnerable: v6.0.0 ... v6.7.1 (48 versions)
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype spe…
- CVE-2026-33883MEDIUMCVSS 6.1EG 6.1✓ Fixed in 6.7.22026-03-27
vulnerable: v6.0.0 ... v6.7.1 (48 versions)
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the `user:reset_password_form` tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL…
- CVE-2026-33884MEDIUMCVSS 4.3EG 4.3✓ Fixed in 6.7.22026-03-27
vulnerable: v6.0.0 ... v6.7.1 (48 versions)
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that th…
- CVE-2026-33885MEDIUMCVSS 6.1EG 6.1✓ Fixed in 6.7.22026-03-27
vulnerable: v6.0.0 ... v6.7.1 (48 versions)
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redire…
- CVE-2026-33886MEDIUMCVSS 6.5EG 6.5✓ Fixed in 6.7.22026-03-27
vulnerable: v6.5.0 ... v6.7.1 (7 versions)
Statamic is a Laravel and Git powered content management system (CMS). Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application config…
- CVE-2026-33887MEDIUMCVSS 5.4EG 5.4✓ Fixed in 6.7.22026-03-27
vulnerable: v6.0.0 ... v6.7.1 (48 versions)
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they …
- CVE-2026-41175HIGHCVSS 8.1EG 8.1✓ Fixed in 6.13.02026-04-22
vulnerable: v6.0.0 ... v6.9.0 (55 versions)
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss o…
- CVE-2026-44306MEDIUMCVSS 5.3EG 5.3✓ Fixed in 6.15.02026-05-12
vulnerable: v6.0.0 ... v6.9.0 (30 versions)
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could …
Check whether statamic/cms is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for statamic/cms CVEs against the assets you own.
Start Free Scan →