Skip to main content

Statamic CMS CVE-2026-49288

| EUVDEUVD-2026-38059 MEDIUM
Information Exposure (CWE-200)
2026-06-19 GitHub_M GHSA-2497-6pwj-pwg7
4.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-reachable Control Panel requires low-privilege authenticated access (PR:L); only bounded confidentiality is impacted (C:L), with no integrity or availability consequence.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 19, 2026 - 21:02 EUVD
Analysis Generated
Jun 19, 2026 - 19:01 vuln.today

DescriptionCVE.org

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources. Depending on the resource, this could expose titles, custom field values, entry content, asset metadata, and the existence of users, roles, and groups. No data could be modified. This has been fixed in 5.73.23 and 6.20.0.

AnalysisAI

Unauthorized resource disclosure in Statamic CMS allows any authenticated Control Panel user to read metadata and content for entries, assets, users, roles, and groups beyond their assigned permissions. All v5 releases prior to 5.73.23 and all v6 releases prior to 6.20.0 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege Control Panel credentials
Delivery
Authenticate to Statamic Control Panel
Exploit
Issue requests to restricted resource endpoints
Execution
Bypass authorization check in resource-fetching layer
Persist
Read unauthorized entries, asset metadata, user records, roles, or groups
Impact
Exfiltrate sensitive content for further targeting

Vulnerability AssessmentAI

Exploitation Exploitation requires an active, authenticated session with any Control Panel role in Statamic CMS - there is no unauthenticated attack path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 base score of 4.3 (Medium) is well-calibrated: AV:N/AC:L confirms easy network reachability, PR:L establishes that a low-privilege authenticated session is the sole prerequisite, and C:L/I:N/A:N accurately reflects a read-only, bounded confidentiality leak. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A content editor with a legitimately low-privileged Control Panel account crafts requests to Statamic's internal API or Control Panel resource endpoints, targeting collections, asset containers, or user directories outside their assigned permissions. They successfully read draft entry content from a restricted collection, enumerate internal user accounts by ID, or retrieve custom field values containing confidential business data. …
Remediation The primary fix is to upgrade Statamic CMS to version 5.73.23 (for v5 installations) or 6.20.0 (for v6 installations), as confirmed by the vendor advisory at https://github.com/statamic/cms/security/advisories/GHSA-2497-6pwj-pwg7. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Cms

View all
CVE-2020-7357 CRITICAL POC
9.9 Aug 06

Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. Rated c

CVE-2012-4405 MEDIUM
6.8 Sep 18

Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (iccl

CVE-2021-47753 CRITICAL POC
9.8 Jan 15

phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. Po

CVE-2019-9874 CRITICAL POC
9.8 May 31

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 an

CVE-2019-9875 HIGH POC
8.8 May 31

Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to ex

CVE-2012-5894 HIGH POC
7.5 Nov 17

SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitr

CVE-2012-5893 MEDIUM POC
6.8 Nov 17

Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to e

CVE-2015-2083 MEDIUM POC
6.8 Feb 25

Cross-site request forgery (CSRF) vulnerability in Ilch CMS allows remote attackers to hijack the authentication of admi

CVE-2012-5919 MEDIUM POC
4.3 Nov 19

Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbit

CVE-2025-5429 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

CVE-2025-5428 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

CVE-2025-5427 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

Share

CVE-2026-49288 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy