Skip to main content

CVE-2026-33883

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-26 https://github.com/statamic/cms
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 26, 2026 - 19:16 vuln.today
CVE Published
Mar 26, 2026 - 19:05 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

Impact

The user:reset_password_form tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser.

Patches

This has been fixed in 5.73.16 and 6.7.2.

AnalysisAI

The user:reset_password_form template tag in Statamic CMS fails to escape user-supplied input before rendering it into HTML, enabling reflected cross-site scripting (XSS) attacks via crafted URLs. An unauthenticated remote attacker can exploit this by tricking a victim into clicking a malicious link, causing arbitrary JavaScript execution in the victim's browser with access to session tokens and sensitive page content. Vendor-released patches are available in versions 5.73.16 and 6.7.2.

Technical ContextAI

Statamic CMS (pkg:composer/statamic_cms) uses template tags to render password reset forms. The vulnerable user:reset_password_form tag is a server-side template component that processes user input-typically passed via URL parameters-without proper HTML entity encoding or output escaping. This violates the principle of secure output handling for the CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability class. The attack surface is the template rendering engine itself, which fails to sanitize untrusted input before insertion into HTML context, allowing JavaScript payload injection.

RemediationAI

Upgrade Statamic CMS to version 5.73.16 or 6.7.2 or later immediately. Review the vendor security advisory at https://github.com/statamic/cms/security/advisories/GHSA-3jg4-p23x-p4qx for detailed patch notes. If immediate patching is not possible, disable or restrict access to password reset forms using web application firewall rules to block suspicious URL parameters that may contain JavaScript payloads, and implement Content Security Policy (CSP) headers with script-src 'self' to mitigate inline script execution. Monitor access logs for suspicious reset_password_form requests containing encoded script tags or event handler attributes.

Share

CVE-2026-33883 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy