What is the CVSS score of CVE-2026-27593?

CVE-2026-27593 has a CVSS 3.1 base score of 9.3 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Laravel are affected by CVE-2026-27593?

A critical vulnerability in Statmatic's password reset feature allows attackers to hijack user accounts by intercepting password reset tokens, potentially compromising administrative access and…. A patch is available.

How to fix or mitigate CVE-2026-27593?

Within 24 hours: Identify all Statmatic instances and document current versions in use; notify system owners and relevant stakeholders of the critical risk. Within 7 days: Apply vendor patches to upgrade to versions 6.3.3 or 5.73.10 across all production and non-production environments; verify patch deployment with version confirmation. Within 30 days: Conduct post-incident review; audit password reset logs for suspicious activity during the vulnerability window; force password resets for all administrative accounts and review account access logs for unauthorized changes.

Laravel CVE-2026-27593

CRITICAL

Weak Password Recovery Mechanism for Forgotten Password (CWE-640)

2026-02-24 security-advisories@github.com

GHSA-jxq9-79vj-rgvw

Laravel Statamic

9.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.3 CRITICAL

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

Patch released

Feb 25, 2026 - 20:27 nvd

Patch available

CVE Published

Feb 24, 2026 - 22:16 nvd

CRITICAL 9.3

DescriptionGitHub Advisory

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset. This has been fixed in 6.3.3 and 5.73.10.

AnalysisAI

Password reset poisoning in Statamic CMS before 6.3.3/5.73.10 allows attackers to steal password reset tokens by manipulating the Host header in reset requests. Patch available.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Attacker knows victim email address

Delivery

Trigger password reset for victim account

Exploit

Attacker intercepts reset token from email

Execution

Victim clicks malicious link

Persist

Attacker captures token and resets password

Impact

Gains unauthorized account access