Skip to main content

CVE-2026-33882

MEDIUM
Improper Input Validation (CWE-20)
2026-03-26 https://github.com/statamic/cms
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 26, 2026 - 19:16 vuln.today
CVE Published
Mar 26, 2026 - 19:03 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Impact

The markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes.

Patches

This has been fixed in 5.73.16 and 6.7.2.

AnalysisAI

Statamic CMS versions prior to 5.73.16 and 6.7.2 allow authenticated control panel users to extract sensitive user data including email addresses, encrypted passkey credentials, and encrypted two-factor authentication codes through manipulation of the markdown preview endpoint. The vulnerability stems from insufficient input validation (CWE-20) that permits attackers to retrieve data from arbitrary fieldtypes beyond the intended scope. With a CVSS score of 6.5 reflecting low attack complexity and high confidentiality impact, the threat is moderate but requires valid control panel authentication to exploit.

Technical ContextAI

Statamic CMS (pkg:composer/statamic_cms) contains a markdown preview endpoint that processes user-controlled input without adequate validation of the fieldtype parameter. The vulnerability is rooted in CWE-20 (Improper Input Validation), allowing an authenticated user to manipulate the endpoint to access data structures not intended for exposure. The users fieldtype, which contains sensitive authentication and credential data, becomes accessible when the endpoint's input filtering is bypassed. This is a server-side logic flaw in a web application feature intended for content preview, not data retrieval across arbitrary field types.

RemediationAI

Upgrade Statamic CMS immediately to version 5.73.16 (if running 5.x) or version 6.7.2 (if running 6.x) or later. Refer to the vendor security advisory at https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4 for detailed upgrade instructions. Until patching is completed, restrict control panel access to trusted administrator accounts only and monitor markdown preview endpoint usage for anomalous fieldtype parameters. Consider implementing network-level access controls to limit control panel exposure if immediate patching is not feasible.

Share

CVE-2026-33882 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy