Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-reachable Control Panel requires low-privilege authenticated access (PR:L); only bounded confidentiality is impacted (C:L), with no integrity or availability consequence.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources. Depending on the resource, this could expose titles, custom field values, entry content, asset metadata, and the existence of users, roles, and groups. No data could be modified. This has been fixed in 5.73.23 and 6.20.0.
AnalysisAI
Unauthorized resource disclosure in Statamic CMS allows any authenticated Control Panel user to read metadata and content for entries, assets, users, roles, and groups beyond their assigned permissions. All v5 releases prior to 5.73.23 and all v6 releases prior to 6.20.0 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active, authenticated session with any Control Panel role in Statamic CMS - there is no unauthenticated attack path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 base score of 4.3 (Medium) is well-calibrated: AV:N/AC:L confirms easy network reachability, PR:L establishes that a low-privilege authenticated session is the sole prerequisite, and C:L/I:N/A:N accurately reflects a read-only, bounded confidentiality leak. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A content editor with a legitimately low-privileged Control Panel account crafts requests to Statamic's internal API or Control Panel resource endpoints, targeting collections, asset containers, or user directories outside their assigned permissions. They successfully read draft entry content from a restricted collection, enumerate internal user accounts by ID, or retrieve custom field values containing confidential business data. … |
| Remediation | The primary fix is to upgrade Statamic CMS to version 5.73.23 (for v5 installations) or 6.20.0 (for v6 installations), as confirmed by the vendor advisory at https://github.com/statamic/cms/security/advisories/GHSA-2497-6pwj-pwg7. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. Rated c
Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (iccl
phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. Po
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 an
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to ex
SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitr
Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to e
Cross-site request forgery (CSRF) vulnerability in Ilch CMS allows remote attackers to hijack the authentication of admi
Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbit
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38059
GHSA-2497-6pwj-pwg7