Statamic CMS CVE-2026-54244
LOWSeverity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
PR:L confirmed since Control Panel account is required; UI:R because third-party must view the shared preview URL for meaningful impact; I:L only since no content is persisted or published.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Impact
The Live Preview endpoint for existing entries and terms only checked view authorization, but it accepts and renders caller-supplied field values. A Control Panel user with view but not edit permission could therefore submit content they were not authorized to author and generate a shareable Live Preview URL rendering it.
Patches
This has been fixed in 5.74.0 and 6.20.3.
AnalysisAI
Incorrect authorization in Statamic CMS's Live Preview endpoint allows authenticated Control Panel users with view-only permissions to submit and render arbitrary field values they are not authorized to edit. By exploiting this flaw, a restricted user can generate a shareable Live Preview URL that displays unauthorized content as if authored through legitimate editorial workflow. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active, authenticated Control Panel account with at minimum view permission on entries or terms - unauthenticated external access is not sufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 score of 3.5 (Low) accurately reflects the constrained impact: exploitation requires a valid Control Panel account with at least view permission (PR:L), user interaction is needed for the preview URL to be viewed (UI:R), and the integrity impact is limited to generating a preview rendering - not actual content publication or database modification (I:L, C:N, A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A Control Panel user assigned a view-only role navigates to an existing entry's Live Preview endpoint and crafts an HTTP request that includes caller-supplied field values containing unauthorized or fabricated content. The endpoint renders this content and returns a shareable preview URL, which the attacker distributes externally to present misleading information under the appearance of the legitimate site's branding. … |
| Remediation | Upgrade Statamic CMS to version 5.74.0 (for 5.x deployments) or 6.20.3 (for 6.x deployments), as confirmed by the vendor in the GitHub Security Advisory GHSA-7mqq-4v55-88gh at https://github.com/statamic/cms/security/advisories/GHSA-7mqq-4v55-88gh. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-7mqq-4v55-88gh