statamic/cms Security Advisories for v6.7.1 (7)
-
[MEDIUM] Statamic allows unauthorized content access through missing authorization in its revision controllers
PKSA-yd5q-tqxd-dxfr CVE-2026-33887 GHSA-4hp7-3wxg-cv9q
Affected version: >=6.0.0-alpha.1,<6.7.2|<5.73.16
Reported by:
GitHub -
[MEDIUM] Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields
PKSA-74j5-mc2z-3jj1 CVE-2026-33886 GHSA-gcqf-5x9f-hq7f
Affected version: >=6.5.0,<6.7.2|>=5.73.12,<5.73.16
Reported by:
GitHub -
[MEDIUM] Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential
PKSA-3yh1-q236-qg5b CVE-2026-33885 GHSA-7f74-7q5w-hj4r
Affected version: >=6.0.0.alpha.1,<6.7.2|<5.73.16
Reported by:
GitHub -
[MEDIUM] Statamic's live preview token bypasses content protection for unrelated entries
PKSA-tg1h-vfwx-wzp9 CVE-2026-33884 GHSA-8vwx-ccf6-5wg2
Affected version: >=6.0.0-alpha.1,<6.7.2|<5.73.16
Reported by:
GitHub -
[MEDIUM] Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag
PKSA-ffqw-wkbr-m6bg CVE-2026-33883 GHSA-3jg4-p23x-p4qx
Affected version: >=6.0.0-alpha.1,<6.7.2|<5.73.16
Reported by:
GitHub -
[MEDIUM] Statamic's Markdown preview endpoint exposes sensitive user data
PKSA-8f4x-d8sb-16sq CVE-2026-33882 GHSA-cvh3-23vq-w7h4
Affected version: >=6.0.0-alpha.1,<6.7.2|<5.73.16
Reported by:
GitHub -
[HIGH] Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs
PKSA-skzr-by55-tmc5 CVE-2026-28425 GHSA-cpv7-q2wx-m8rw
Affected version: >=6.0.0-alpha.1,<6.7.2|<5.73.16
Reported by:
GitHub