CVE-2026-27939
HIGH
GHSA-rw9x-pxqx-q789
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the user’s existing permissions, may lead to privilege escalation. This has been fixed in 6.4.0.
Analysis
Authenticated Statamic CMS users (versions 6.0.0-6.3.x) can bypass privilege escalation verification checks to gain unauthorized elevated access, potentially enabling unauthorized sensitive operations depending on existing permissions. The vulnerability affects both Statamic and its Laravel framework integration, with a patch available in version 6.4.0.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running Statmatic CMS versions 6.0.0-6.3.x and restrict control panel access to essential personnel only. Within 7 days: Apply vendor patch to upgrade to version 6.4.0 or later across all affected instances. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today