[CRITICAL] Statamic is vulnerable to account takeover via password reset link injection

PKSA-w3y4-x9d3-9t28 CVE-2026-27593 GHSA-jxq9-79vj-rgvw

Affected package: statamic/cms

Affected version: >=6.0.0-alpha.1,<6.3.3|<5.73.10

Reported by:
GitHub