Statamic CMS CVE-2026-44306
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
Responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks.
Patches
This has been fixed in 5.73.21 and 6.15.0. The forgot password forms now return the same generic response regardless of whether the submitted email matches a registered user.
AnalysisAI
Statamic CMS versions before 5.73.21 and 6.0-6.14.x disclose whether an email address is registered via differential responses from the forgot password endpoint, enabling unauthenticated attackers to enumerate valid user accounts and facilitate downstream credential-based attacks. The vulnerability has a CVSS score of 5.3 (low confidentiality impact) and no public exploit code or active exploitation has been identified.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The forgot password endpoint must be accessible over the network without authentication (default configuration in public-facing Statamic deployments). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 5.3 with AV:N/AC:L/PR:N/UI:N indicates remote, unauthenticated enumeration with low operational complexity, but limited to confidentiality (C:L - reveals only account existence, not credentials or sensitive data). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a series of HTTP POST requests to the forgot password endpoint with common email addresses or a targeted list (e.g., employees of a company). By observing response differences (distinct success/failure messages, HTTP status codes, or response times), the attacker identifies which emails are registered. … |
| Remediation | Upgrade Statamic CMS to version 5.73.21 or 6.15.0 or later. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-204 – Observable Response Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-m24v-f7g5-gq67