CVE-2026-33882
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
The markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes.
Patches
This has been fixed in 5.73.16 and 6.7.2.
AnalysisAI
Statamic CMS versions prior to 5.73.16 and 6.7.2 allow authenticated control panel users to extract sensitive user data including email addresses, encrypted passkey credentials, and encrypted two-factor authentication codes through manipulation of the markdown preview endpoint. The vulnerability stems from insufficient input validation (CWE-20) that permits attackers to retrieve data from arbitrary fieldtypes beyond the intended scope. With a CVSS score of 6.5 reflecting low attack complexity and high confidentiality impact, the threat is moderate but requires valid control panel authentication to exploit.
Technical ContextAI
Statamic CMS (pkg:composer/statamic_cms) contains a markdown preview endpoint that processes user-controlled input without adequate validation of the fieldtype parameter. The vulnerability is rooted in CWE-20 (Improper Input Validation), allowing an authenticated user to manipulate the endpoint to access data structures not intended for exposure. The users fieldtype, which contains sensitive authentication and credential data, becomes accessible when the endpoint's input filtering is bypassed. This is a server-side logic flaw in a web application feature intended for content preview, not data retrieval across arbitrary field types.
RemediationAI
Upgrade Statamic CMS immediately to version 5.73.16 (if running 5.x) or version 6.7.2 (if running 6.x) or later. Refer to the vendor security advisory at https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4 for detailed upgrade instructions. Until patching is completed, restrict control panel access to trusted administrator accounts only and monitor markdown preview endpoint usage for anomalous fieldtype parameters. Consider implementing network-level access controls to limit control panel exposure if immediate patching is not feasible.
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today