Skip to main content

Statamic CMS CVE-2026-44306

MEDIUM
Observable Response Discrepancy (CWE-204)
2026-05-06 https://github.com/statamic/cms GHSA-m24v-f7g5-gq67
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 06, 2026 - 21:32 vuln.today
Analysis Generated
May 06, 2026 - 21:32 vuln.today
CVE Published
May 06, 2026 - 20:54 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Impact

Responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks.

Patches

This has been fixed in 5.73.21 and 6.15.0. The forgot password forms now return the same generic response regardless of whether the submitted email matches a registered user.

AnalysisAI

Statamic CMS versions before 5.73.21 and 6.0-6.14.x disclose whether an email address is registered via differential responses from the forgot password endpoint, enabling unauthenticated attackers to enumerate valid user accounts and facilitate downstream credential-based attacks. The vulnerability has a CVSS score of 5.3 (low confidentiality impact) and no public exploit code or active exploitation has been identified.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify forgot password endpoint
Delivery
Submit email addresses (enumeration list)
Exploit
Compare response signatures
Execution
Extract valid accounts
Impact
Use enumerated list for phishing or brute-force attacks

Vulnerability AssessmentAI

Exploitation The forgot password endpoint must be accessible over the network without authentication (default configuration in public-facing Statamic deployments). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 5.3 with AV:N/AC:L/PR:N/UI:N indicates remote, unauthenticated enumeration with low operational complexity, but limited to confidentiality (C:L - reveals only account existence, not credentials or sensitive data). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a series of HTTP POST requests to the forgot password endpoint with common email addresses or a targeted list (e.g., employees of a company). By observing response differences (distinct success/failure messages, HTTP status codes, or response times), the attacker identifies which emails are registered. …
Remediation Upgrade Statamic CMS to version 5.73.21 or 6.15.0 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44306 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy