[MEDIUM] Statamic's missing authorization allows access to email addresses

PKSA-hycr-3628-cp88 CVE-2026-28424 GHSA-w878-f8c6-7r63

Affected package: statamic/cms

Affected version: >=6.0.0-alpha.1,<6.4.0|<5.73.11

Reported by:
GitHub