CVE-2026-33883
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
The user:reset_password_form tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser.
Patches
This has been fixed in 5.73.16 and 6.7.2.
AnalysisAI
The user:reset_password_form template tag in Statamic CMS fails to escape user-supplied input before rendering it into HTML, enabling reflected cross-site scripting (XSS) attacks via crafted URLs. An unauthenticated remote attacker can exploit this by tricking a victim into clicking a malicious link, causing arbitrary JavaScript execution in the victim's browser with access to session tokens and sensitive page content. Vendor-released patches are available in versions 5.73.16 and 6.7.2.
Technical ContextAI
Statamic CMS (pkg:composer/statamic_cms) uses template tags to render password reset forms. The vulnerable user:reset_password_form tag is a server-side template component that processes user input-typically passed via URL parameters-without proper HTML entity encoding or output escaping. This violates the principle of secure output handling for the CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability class. The attack surface is the template rendering engine itself, which fails to sanitize untrusted input before insertion into HTML context, allowing JavaScript payload injection.
RemediationAI
Upgrade Statamic CMS to version 5.73.16 or 6.7.2 or later immediately. Review the vendor security advisory at https://github.com/statamic/cms/security/advisories/GHSA-3jg4-p23x-p4qx for detailed patch notes. If immediate patching is not possible, disable or restrict access to password reset forms using web application firewall rules to block suspicious URL parameters that may contain JavaScript payloads, and implement Content Security Policy (CSP) headers with script-src 'self' to mitigate inline script execution. Monitor access logs for suspicious reset_password_form requests containing encoded script tags or event handler attributes.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today