{"id":444346,"name":"statamic/cms","ecosystem":"packagist","description":"The Statamic CMS Core Package","homepage":"","licenses":"proprietary","normalized_licenses":["Other"],"repository_url":"https://github.com/statamic/cms","keywords_array":["cms","laravel","flat file","statamic"],"namespace":"statamic","versions_count":496,"first_release_published_at":"2019-11-26T21:40:53.000Z","latest_release_published_at":"2026-01-13T20:09:36.000Z","latest_release_number":"v5.72.0","last_synced_at":"2026-04-01T12:05:00.239Z","created_at":"2022-04-07T01:13:58.685Z","updated_at":"2026-06-19T03:13:44.236Z","registry_url":"https://packagist.org/packages/statamic/cms#","install_command":"composer require statamic/cms","documentation_url":null,"metadata":{"funding":[{"url":"https://github.com/statamic","type":"github"}]},"repo_metadata":{"id":37260648,"uuid":"111562942","full_name":"statamic/cms","owner":"statamic","description":"The core Laravel CMS Composer package","archived":false,"fork":false,"pushed_at":"2026-02-27T21:39:23.000Z","size":72982,"stargazers_count":4723,"open_issues_count":304,"forks_count":616,"subscribers_count":30,"default_branch":"6.x","last_synced_at":"2026-02-28T00:51:41.490Z","etag":null,"topics":["api-rest","cms","composer-package","content-management-system","flat-file-cms","flatfile","flatfilecms","graphql","headless","jamstack","laravel","laravel-cms","laravel-package","php","php8","ssg","statamic","vuejs"],"latest_commit_sha":null,"homepage":"https://statamic.com","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/statamic.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"statamic"}},"created_at":"2017-11-21T14:56:36.000Z","updated_at":"2026-02-27T21:39:16.000Z","dependencies_parsed_at":"2026-01-16T11:10:26.264Z","dependency_job_id":null,"html_url":"https://github.com/statamic/cms","commit_stats":{"total_commits":10847,"total_committers":281,"mean_commits":38.60142348754449,"dds":"0.49313174149534433","last_synced_commit":"74387f0ca0df9e1a0f42c519f751a1c9cbcdac3a"},"previous_names":[],"tags_count":527,"template":false,"template_full_name":null,"purl":"pkg:github/statamic/cms","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/statamic%2Fcms","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/statamic%2Fcms/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/statamic%2Fcms/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/statamic%2Fcms/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/statamic","download_url":"https://codeload.github.com/statamic/cms/tar.gz/refs/heads/6.x","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/statamic%2Fcms/sbom","scorecard":{"id":390024,"data":{"date":"2025-08-11","repo":{"name":"github.com/statamic/cms","commit":"14fe78d2831d7859c8a641944f98f42f9142884d"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.9,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Code-Review","score":7,"reason":"Found 23/30 approved changesets -- score normalized to 7","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE.md:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v5.63.0 not signed: https://api.github.com/repos/statamic/cms/releases/238073815","Warn: release artifact v5.62.0 not signed: https://api.github.com/repos/statamic/cms/releases/237513561","Warn: release artifact v5.61.0 not signed: https://api.github.com/repos/statamic/cms/releases/235243817","Warn: release artifact v5.60.0 not signed: https://api.github.com/repos/statamic/cms/releases/232609599","Warn: release artifact v5.59.0 not signed: https://api.github.com/repos/statamic/cms/releases/231599091","Warn: release artifact v5.63.0 does not have provenance: https://api.github.com/repos/statamic/cms/releases/238073815","Warn: release artifact v5.62.0 does not have provenance: https://api.github.com/repos/statamic/cms/releases/237513561","Warn: release artifact v5.61.0 does not have provenance: https://api.github.com/repos/statamic/cms/releases/235243817","Warn: release artifact v5.60.0 does not have provenance: https://api.github.com/repos/statamic/cms/releases/232609599","Warn: release artifact v5.59.0 does not have provenance: https://api.github.com/repos/statamic/cms/releases/231599091"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 26 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"12 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-vg6x-rcgg-rjx6","Warn: Project is vulnerable to: GHSA-x574-m823-4x7w","Warn: Project is vulnerable to: GHSA-4r4m-qw57-chr8","Warn: Project is vulnerable to: GHSA-xcj6-pq6g-qj4x","Warn: Project is vulnerable to: GHSA-356w-63v5-8wf4","Warn: Project is vulnerable to: GHSA-859w-5945-r5v3","Warn: Project is vulnerable to: GHSA-5j4c-8p2g-v4jx"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-18T17:35:08.102Z","repository_id":37260648,"created_at":"2025-08-18T17:35:08.103Z","updated_at":"2025-08-18T17:35:08.103Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29924719,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-27T19:37:42.220Z","status":"online","status_checked_at":"2026-02-28T02:00:07.010Z","response_time":90,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"statamic","name":"Statamic","uuid":"1669353","kind":"organization","description":"Build beautiful, easy to manage websites. The flat-first, open source, Laravel + git powered CMS.","email":"hello@statamic.com","website":"https://statamic.com","location":"USA","twitter":"statamic","company":null,"icon_url":"https://avatars.githubusercontent.com/u/1669353?v=4","repositories_count":79,"last_synced_at":"2024-05-01T09:30:31.581Z","metadata":{"has_sponsors_listing":true},"html_url":"https://github.com/statamic","funding_links":["https://github.com/sponsors/statamic"],"total_stars":5991,"followers":228,"following":0,"created_at":"2022-11-03T17:42:50.395Z","updated_at":"2024-05-01T09:30:50.988Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/statamic","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/statamic/repositories"},"tags":[]},"repo_metadata_updated_at":"2026-02-28T04:01:24.776Z","dependent_packages_count":377,"downloads":2991735,"downloads_period":"total","dependent_repos_count":388,"rankings":{"downloads":0.8949616053498373,"dependent_repos_count":0.45445711808410444,"dependent_packages_count":0.10912950532940666,"stargazers_count":0.11984313256494201,"forks_count":0.14650262359290211,"docker_downloads_count":null,"average":0.3449787969842385},"purl":"pkg:composer/statamic/cms","advisories":[{"uuid":"GSA_kwCzR0hTQS1wZjljLWNoOHItMjk1OM4ABXA2","url":"https://github.com/advisories/GHSA-pf9c-ch8r-2958","title":"Statamic CMS: Server-Side Request Forgery via Glide","description":"### Impact\n\nThe Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP requests to internal addresses — including loopback, private network, and cloud metadata endpoints.\n\nThis affects sites that pass user-supplied URLs to Glide. Sites running PHP 8.3 or newer are not affected.\n\n### Patches\n\nThis has been fixed in 5.73.22 and 6.18.1","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-05-18T15:32:43.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":5.4,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-pf9c-ch8r-2958","https://nvd.nist.gov/vuln/detail/CVE-2026-45660","https://github.com/advisories/GHSA-pf9c-ch8r-2958"],"source_kind":"github","identifiers":["GHSA-pf9c-ch8r-2958","CVE-2026-45660"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-05-18T16:00:16.699Z","updated_at":"2026-06-10T15:00:37.565Z","epss_percentage":0.00044,"epss_percentile":0.13949,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wZjljLWNoOHItMjk1OM4ABXA2","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1wZjljLWNoOHItMjk1OM4ABXA2","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"6.18.1","vulnerable_version_range":"\u003e= 6.0.0-alpha.1, \u003c 6.18.1"},{"first_patched_version":"5.73.22","vulnerable_version_range":"\u003c 5.73.22"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wZjljLWNoOHItMjk1OM4ABXA2/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1tMjR2LWY3ZzUtZ3E2N84ABWTk","url":"https://github.com/advisories/GHSA-m24v-f7g5-gq67","title":"Statamic CMS vulnerable to email enumeration via forgot password endpoint","description":"### Impact\n\nResponses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks.\n\n### Patches\n\nThis has been fixed in 5.73.21 and 6.15.0. The forgot password forms now return the same generic response regardless of whether the submitted email matches a registered user.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-05-06T20:54:31.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":5.3,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-m24v-f7g5-gq67","https://nvd.nist.gov/vuln/detail/CVE-2026-44306","https://github.com/advisories/GHSA-m24v-f7g5-gq67"],"source_kind":"github","identifiers":["GHSA-m24v-f7g5-gq67","CVE-2026-44306"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-05-06T21:00:08.774Z","updated_at":"2026-06-14T01:00:46.771Z","epss_percentage":0.00041,"epss_percentile":0.12857,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tMjR2LWY3ZzUtZ3E2N84ABWTk","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1tMjR2LWY3ZzUtZ3E2N84ABWTk","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"6.15.0","vulnerable_version_range":"\u003e= 6.0.0, \u003c 6.15.0"},{"first_patched_version":"5.73.21","vulnerable_version_range":"\u003c 5.73.21"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tMjR2LWY3ZzUtZ3E2N84ABWTk/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS00ampyLXZtdjctd2g0d84ABVZE","url":"https://github.com/advisories/GHSA-4jjr-vmv7-wh4w","title":"Statamic: Unsafe method invocation via query value resolution allows data destruction","description":"### Impact\n\nManipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts.\n\nThe Control Panel requires authentication with minimal permissions in order to exploit. e.g. \"view entries\" permission to delete entries, or \"view users\" permission to delete users, etc.\n\nThe REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too.\n\nSites that enable the REST or GraphQL API without authentication should treat patching as critical priority.\n\n### Patches\n\nThis has been fixed in 5.73.20 and 6.13.0.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-04-16T21:25:35.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","references":["https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w","https://nvd.nist.gov/vuln/detail/CVE-2026-41175","https://github.com/advisories/GHSA-4jjr-vmv7-wh4w"],"source_kind":"github","identifiers":["GHSA-4jjr-vmv7-wh4w","CVE-2026-41175"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-04-16T22:00:09.301Z","updated_at":"2026-06-19T03:01:16.257Z","epss_percentage":0.00105,"epss_percentile":0.28071,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00ampyLXZtdjctd2g0d84ABVZE","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS00ampyLXZtdjctd2g0d84ABVZE","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"6.13.0","vulnerable_version_range":"\u003e= 6.0.0-alpha.1, \u003c 6.13.0"},{"first_patched_version":"5.73.20","vulnerable_version_range":"\u003c 5.73.20"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00ampyLXZtdjctd2g0d84ABVZE/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS00aHA3LTN3eGctY3Y5cc4ABUVW","url":"https://github.com/advisories/GHSA-4hp7-3wxg-cv9q","title":"Statamic allows unauthorized content access through missing authorization in its revision controllers ","description":"### Impact\nAuthenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data.\n\nUsers could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content.\n\n### Patches\nThis has been fixed in 5.73.16 and 6.7.2.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-03-26T19:07:23.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":5.4,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q","https://nvd.nist.gov/vuln/detail/CVE-2026-33887","https://github.com/advisories/GHSA-4hp7-3wxg-cv9q"],"source_kind":"github","identifiers":["GHSA-4hp7-3wxg-cv9q","CVE-2026-33887"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-26T20:00:10.762Z","updated_at":"2026-06-04T03:01:21.832Z","epss_percentage":0.00032,"epss_percentile":0.09874,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00aHA3LTN3eGctY3Y5cc4ABUVW","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS00aHA3LTN3eGctY3Y5cc4ABUVW","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"6.7.2","vulnerable_version_range":"\u003e= 6.0.0-alpha.1, \u003c 6.7.2"},{"first_patched_version":"5.73.16","vulnerable_version_range":"\u003c 5.73.16"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00aHA3LTN3eGctY3Y5cc4ABUVW/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1nY3FmLTV4OWYtaHE3Zs4ABUVV","url":"https://github.com/advisories/GHSA-gcqf-5x9f-hq7f","title":"Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields","description":"### Impact\nA control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content.\n\n### Patches\nThis has been fixed in 5.73.16 and 6.7.2.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-03-26T19:06:58.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-gcqf-5x9f-hq7f","https://nvd.nist.gov/vuln/detail/CVE-2026-33886","https://github.com/advisories/GHSA-gcqf-5x9f-hq7f"],"source_kind":"github","identifiers":["GHSA-gcqf-5x9f-hq7f","CVE-2026-33886"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-26T20:00:10.762Z","updated_at":"2026-06-04T03:01:21.833Z","epss_percentage":0.00077,"epss_percentile":0.23147,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nY3FmLTV4OWYtaHE3Zs4ABUVV","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1nY3FmLTV4OWYtaHE3Zs4ABUVV","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"6.7.2","vulnerable_version_range":"\u003e= 6.5.0, \u003c 6.7.2"},{"first_patched_version":"5.73.16","vulnerable_version_range":"\u003e= 5.73.12, \u003c 5.73.16"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nY3FmLTV4OWYtaHE3Zs4ABUVV/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS03Zjc0LTdxNXctaGo0cs4ABUVU","url":"https://github.com/advisories/GHSA-7f74-7q5w-hj4r","title":"Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential","description":"### Impact\nThe external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows.\n\n### Patches\nThis has been fixed in 5.73.16 and 6.7.2.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-03-26T19:05:57.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r","https://nvd.nist.gov/vuln/detail/CVE-2026-33885","https://github.com/advisories/GHSA-7f74-7q5w-hj4r"],"source_kind":"github","identifiers":["GHSA-7f74-7q5w-hj4r","CVE-2026-33885"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-26T20:00:10.762Z","updated_at":"2026-06-14T01:01:30.382Z","epss_percentage":0.00052,"epss_percentile":0.16562,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03Zjc0LTdxNXctaGo0cs4ABUVU","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS03Zjc0LTdxNXctaGo0cs4ABUVU","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"6.7.2","vulnerable_version_range":"\u003e= 6.0.0.alpha.1, \u003c 6.7.2"},{"first_patched_version":"5.73.16","vulnerable_version_range":"\u003c 5.73.16"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03Zjc0LTdxNXctaGo0cs4ABUVU/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS04dnd4LWNjZjYtNXdnMs4ABUVT","url":"https://github.com/advisories/GHSA-8vwx-ccf6-5wg2","title":"Statamic's live preview token bypasses content protection for unrelated entries","description":"### Impact\nAn authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for.\n\n### Patches\nThis has been fixed in 5.73.16 and 6.7.2.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-03-26T19:05:46.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":4.3,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2","https://nvd.nist.gov/vuln/detail/CVE-2026-33884","https://github.com/advisories/GHSA-8vwx-ccf6-5wg2"],"source_kind":"github","identifiers":["GHSA-8vwx-ccf6-5wg2","CVE-2026-33884"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-26T20:00:10.762Z","updated_at":"2026-06-04T03:01:21.834Z","epss_percentage":0.0004,"epss_percentile":0.12214,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04dnd4LWNjZjYtNXdnMs4ABUVT","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS04dnd4LWNjZjYtNXdnMs4ABUVT","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"6.7.2","vulnerable_version_range":"\u003e= 6.0.0-alpha.1, \u003c 6.7.2"},{"first_patched_version":"5.73.16","vulnerable_version_range":"\u003c 5.73.16"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04dnd4LWNjZjYtNXdnMs4ABUVT/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS0zamc0LXAyM3gtcDRxeM4ABUVS","url":"https://github.com/advisories/GHSA-3jg4-p23x-p4qx","title":"Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag","description":"### Impact\n\nThe `user:reset_password_form` tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser.\n\n### Patches\n\nThis has been fixed in 5.73.16 and 6.7.2.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-03-26T19:05:27.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-3jg4-p23x-p4qx","https://nvd.nist.gov/vuln/detail/CVE-2026-33883","https://github.com/advisories/GHSA-3jg4-p23x-p4qx"],"source_kind":"github","identifiers":["GHSA-3jg4-p23x-p4qx","CVE-2026-33883"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-26T20:00:10.762Z","updated_at":"2026-06-19T03:01:42.698Z","epss_percentage":0.00041,"epss_percentile":0.12711,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zamc0LXAyM3gtcDRxeM4ABUVS","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS0zamc0LXAyM3gtcDRxeM4ABUVS","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"6.7.2","vulnerable_version_range":"\u003e= 6.0.0-alpha.1, \u003c 6.7.2"},{"first_patched_version":"5.73.16","vulnerable_version_range":"\u003c 5.73.16"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zamc0LXAyM3gtcDRxeM4ABUVS/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1jdmgzLTIzdnEtdzdoNM4ABUVR","url":"https://github.com/advisories/GHSA-cvh3-23vq-w7h4","title":"Statamic's Markdown preview endpoint exposes sensitive user data","description":"### Impact\nThe markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes.\n\n### Patches\nThis has been fixed in 5.73.16 and 6.7.2.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-03-26T19:03:04.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4","https://nvd.nist.gov/vuln/detail/CVE-2026-33882","https://github.com/advisories/GHSA-cvh3-23vq-w7h4"],"source_kind":"github","identifiers":["GHSA-cvh3-23vq-w7h4","CVE-2026-33882"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-26T20:00:10.762Z","updated_at":"2026-06-04T03:01:21.835Z","epss_percentage":0.00106,"epss_percentile":0.28227,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jdmgzLTIzdnEtdzdoNM4ABUVR","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1jdmgzLTIzdnEtdzdoNM4ABUVR","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"6.7.2","vulnerable_version_range":"\u003e= 6.0.0-alpha.1, \u003c 6.7.2"},{"first_patched_version":"5.73.16","vulnerable_version_range":"\u003c 5.73.16"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jdmgzLTIzdnEtdzdoNM4ABUVR/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS13aDNoLWd2YzQtY2MyZ84ABT0_","url":"https://github.com/advisories/GHSA-wh3h-gvc4-cc2g","title":"Statamic is missing authorization check on taxonomy term creation via fieldtype","description":"### Impact\n\nLow-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint.\n\n### Patches\n\nThis has been fixed in 5.73.14 and 6.7.0.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-03-18T20:00:51.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":4.3,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g","https://nvd.nist.gov/vuln/detail/CVE-2026-33177","https://github.com/advisories/GHSA-wh3h-gvc4-cc2g"],"source_kind":"github","identifiers":["GHSA-wh3h-gvc4-cc2g","CVE-2026-33177"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-18T21:00:11.205Z","updated_at":"2026-05-28T19:02:43.982Z","epss_percentage":0.00014,"epss_percentile":0.02703,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13aDNoLWd2YzQtY2MyZ84ABT0_","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS13aDNoLWd2YzQtY2MyZ84ABT0_","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"5.73.14","vulnerable_version_range":"\u003c 5.73.14"},{"first_patched_version":"6.7.0","vulnerable_version_range":"\u003e= 6.0.0-alpha.1, \u003c 6.7.0"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13aDNoLWd2YzQtY2MyZ84ABT0_/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1xbTdyLXd3cTctNmY4Nc4ABT0-","url":"https://github.com/advisories/GHSA-qm7r-wwq7-6f85","title":"Statamic has a path traversal in file dictionary fieldtype","description":"### Impact\n\nAuthenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration parameter in the fieldtype's endpoint.\n\n### Patches\n\nThis has been fixed in 5.73.14 and 6.7.0.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-03-18T20:00:42.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":4.3,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85","https://nvd.nist.gov/vuln/detail/CVE-2026-33171","https://github.com/advisories/GHSA-qm7r-wwq7-6f85"],"source_kind":"github","identifiers":["GHSA-qm7r-wwq7-6f85","CVE-2026-33171"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-18T21:00:11.205Z","updated_at":"2026-06-05T09:01:38.518Z","epss_percentage":0.00022,"epss_percentile":0.06476,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xbTdyLXd3cTctNmY4Nc4ABT0-","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1xbTdyLXd3cTctNmY4Nc4ABT0-","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"5.73.14","vulnerable_version_range":"\u003c 5.73.14"},{"first_patched_version":"6.7.0","vulnerable_version_range":"\u003e= 6.0.0-alpha.1, \u003c 6.7.0"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xbTdyLXd3cTctNmY4Nc4ABT0-/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS03cmN2LTU1bWotY2hnN84ABT09","url":"https://github.com/advisories/GHSA-7rcv-55mj-chg7","title":"Statamic has Stored XSS via SVG Sanitization Bypass","description":"### Impact\n\nStored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed.\n\n### Patches\n\nThis has been fixed in 5.73.14 and 6.7.0.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-03-18T19:54:30.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.7,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7","https://nvd.nist.gov/vuln/detail/CVE-2026-33172","https://github.com/advisories/GHSA-7rcv-55mj-chg7"],"source_kind":"github","identifiers":["GHSA-7rcv-55mj-chg7","CVE-2026-33172"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-18T20:00:10.591Z","updated_at":"2026-06-14T01:01:37.235Z","epss_percentage":0.00014,"epss_percentile":0.02507,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03cmN2LTU1bWotY2hnN84ABT09","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS03cmN2LTU1bWotY2hnN84ABT09","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"5.73.14","vulnerable_version_range":"\u003c 5.73.14"},{"first_patched_version":"6.7.0","vulnerable_version_range":"\u003e= 6.0.0-alpha.1, \u003c 6.7.0"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03cmN2LTU1bWotY2hnN84ABT09/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1oY2NoLXc3M2MtanA0bc4ABTl6","url":"https://github.com/advisories/GHSA-hcch-w73c-jp4m","title":"Statamic vulnerable to privilege escalation via stored cross-site scripting","description":"### Impact\n\nStored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account.\n\n### Patches\n\nThis has been fixed in 6.6.2.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-03-13T20:50:51.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":5.4,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-hcch-w73c-jp4m","https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-32612","https://nvd.nist.gov/vuln/detail/CVE-2026-32612","https://github.com/advisories/GHSA-hcch-w73c-jp4m"],"source_kind":"github","identifiers":["GHSA-hcch-w73c-jp4m","CVE-2026-32612"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-13T21:00:09.224Z","updated_at":"2026-05-20T05:01:49.178Z","epss_percentage":0.00016,"epss_percentile":0.0359,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oY2NoLXc3M2MtanA0bc4ABTl6","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1oY2NoLXc3M2MtanA0bc4ABTl6","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"6.6.2","vulnerable_version_range":"\u003e= 6.0.0, \u003c 6.6.2"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oY2NoLXc3M2MtanA0bc4ABTl6/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS01dnJqLXdmN3YtNXdyN84ABS7k","url":"https://github.com/advisories/GHSA-5vrj-wf7v-5wr7","title":"Statamic vulnerable to privilege escalation via stored cross-site scripting","description":"### Impact\nStored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.\n\n### Patches\nThis has been fixed in 5.73.11 and 6.4.0.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-03-01T01:31:09.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.7,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7","https://nvd.nist.gov/vuln/detail/CVE-2026-28426","https://github.com/statamic/cms/releases/tag/v5.73.11","https://github.com/statamic/cms/releases/tag/v6.4.0","https://github.com/advisories/GHSA-5vrj-wf7v-5wr7"],"source_kind":"github","identifiers":["GHSA-5vrj-wf7v-5wr7","CVE-2026-28426"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-01T02:00:10.065Z","updated_at":"2026-06-07T16:01:50.306Z","epss_percentage":0.00013,"epss_percentile":0.02081,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01dnJqLXdmN3YtNXdyN84ABS7k","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS01dnJqLXdmN3YtNXdyN84ABS7k","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"6.4.0","vulnerable_version_range":"\u003e= 6.0.0-alpha.1, \u003c 6.4.0"},{"first_patched_version":"5.73.11","vulnerable_version_range":"\u003c 5.73.11"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01dnJqLXdmN3YtNXdyN84ABS7k/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1jcHY3LXEyd3gtbThyd84ABS7j","url":"https://github.com/advisories/GHSA-cpv7-q2wx-m8rw","title":"Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs","description":"### Impact\nAn authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability.\n\nExploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions.\n\n### Patches\nThis has been fixed in 5.73.16 and 6.7.2.\n\nNote that a follow-up report showed that the original 5.73.11 \u0026 6.4.0 fixes were insufficient.\n\nIf you use addons that depend on Statamic, ensure that after updating you are running a patched Statamic version.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-03-01T01:30:55.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.0,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","references":["https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw","https://nvd.nist.gov/vuln/detail/CVE-2026-28425","https://github.com/statamic/cms/releases/tag/v5.73.16","https://github.com/statamic/cms/releases/tag/v6.7.2","https://github.com/advisories/GHSA-cpv7-q2wx-m8rw"],"source_kind":"github","identifiers":["GHSA-cpv7-q2wx-m8rw","CVE-2026-28425"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-01T02:00:10.065Z","updated_at":"2026-06-14T01:01:31.512Z","epss_percentage":0.00188,"epss_percentile":0.40529,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jcHY3LXEyd3gtbThyd84ABS7j","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1jcHY3LXEyd3gtbThyd84ABS7j","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"6.7.2","vulnerable_version_range":"\u003e= 6.0.0-alpha.1, \u003c 6.7.2"},{"first_patched_version":"5.73.16","vulnerable_version_range":"\u003c 5.73.16"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jcHY3LXEyd3gtbThyd84ABS7j/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS13ODc4LWY4YzYtN3I2M84ABS7i","url":"https://github.com/advisories/GHSA-w878-f8c6-7r63","title":"Statamic's missing authorization allows access to email addresses","description":"### Impact\nUser email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the “view users” permission.\n\n### Patches\nThis has been fixed in 5.73.11 and 6.4.0.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-03-01T01:30:42.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63","https://nvd.nist.gov/vuln/detail/CVE-2026-28424","https://github.com/statamic/cms/releases/tag/v5.73.11","https://github.com/statamic/cms/releases/tag/v6.4.0","https://github.com/advisories/GHSA-w878-f8c6-7r63"],"source_kind":"github","identifiers":["GHSA-w878-f8c6-7r63","CVE-2026-28424"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-01T02:00:10.065Z","updated_at":"2026-06-17T17:02:21.074Z","epss_percentage":0.00042,"epss_percentile":0.12551,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13ODc4LWY4YzYtN3I2M84ABS7i","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS13ODc4LWY4YzYtN3I2M84ABS7i","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"6.4.0","vulnerable_version_range":"\u003e= 6.0.0-alpha.1, \u003c 6.4.0"},{"first_patched_version":"5.73.11","vulnerable_version_range":"\u003c 5.73.11"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13ODc4LWY4YzYtN3I2M84ABS7i/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1jd3BwLTMyNXEtMmN2cM4ABS7h","url":"https://github.com/advisories/GHSA-cwpp-325q-2cvp","title":"Statamic Vulnerable to Server-Side Request Forgery via Glide","description":"### Impact\n\nWhen Glide image manipulation is used in insecure mode (which is *not* the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server.\n\n\n## Patches\n\nThis has been fixed in 5.73.11 and 6.4.0.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-03-01T01:30:24.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.8,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp","https://nvd.nist.gov/vuln/detail/CVE-2026-28423","https://github.com/statamic/cms/releases/tag/v5.73.11","https://github.com/statamic/cms/releases/tag/v6.4.0","https://github.com/advisories/GHSA-cwpp-325q-2cvp"],"source_kind":"github","identifiers":["GHSA-cwpp-325q-2cvp","CVE-2026-28423"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-01T02:00:10.065Z","updated_at":"2026-06-19T03:02:10.759Z","epss_percentage":0.00025,"epss_percentile":0.06898,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jd3BwLTMyNXEtMmN2cM4ABS7h","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1jd3BwLTMyNXEtMmN2cM4ABS7h","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"6.4.0","vulnerable_version_range":"\u003e= 6.0.0-alpha.1, \u003c 6.4.0"},{"first_patched_version":"5.73.11","vulnerable_version_range":"\u003c 5.73.11"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jd3BwLTMyNXEtMmN2cM4ABS7h/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1ydzl4LXB4cXgtcTc4Oc4ABS6z","url":"https://github.com/advisories/GHSA-rw9x-pxqx-q789","title":"Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass","description":"## Impact\n\nAuthenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the user’s existing permissions, may lead to privilege escalation.\n\n## Patches\nThis has been fixed in 6.4.0.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-02-27T21:35:00.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.8,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","references":["https://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789","https://github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3a","https://nvd.nist.gov/vuln/detail/CVE-2026-27939","https://github.com/advisories/GHSA-rw9x-pxqx-q789"],"source_kind":"github","identifiers":["GHSA-rw9x-pxqx-q789","CVE-2026-27939"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-02-27T22:00:09.758Z","updated_at":"2026-06-03T15:02:13.321Z","epss_percentage":0.00022,"epss_percentile":0.06491,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ydzl4LXB4cXgtcTc4Oc4ABS6z","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1ydzl4LXB4cXgtcTc4Oc4ABS6z","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"6.4.0","vulnerable_version_range":"\u003e= 6.0.0, \u003c 6.4.0"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ydzl4LXB4cXgtcTc4Oc4ABS6z/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1qeHE5LTc5dmotcmd2d84ABSzD","url":"https://github.com/advisories/GHSA-jxq9-79vj-rgvw","title":"Statamic is vulnerable to account takeover via password reset link injection","description":"## Impact\n\nAn attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf.\n\nThe attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset.\n\n## Patches\n\nThis has been fixed in 6.7.1 and 5.73.10.\n\nNote that a follow-up report showed the original 6.3.3 fix to be insufficient. The 5.73.10 fix was sufficient.","origin":"UNSPECIFIED","severity":"CRITICAL","published_at":"2026-02-24T21:09:23.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":9.3,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw","https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e","https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be","https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0","https://github.com/statamic/cms/releases/tag/v5.73.10","https://github.com/statamic/cms/releases/tag/v6.3.3","https://nvd.nist.gov/vuln/detail/CVE-2026-27593","https://github.com/advisories/GHSA-jxq9-79vj-rgvw"],"source_kind":"github","identifiers":["GHSA-jxq9-79vj-rgvw","CVE-2026-27593"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-02-24T22:00:07.880Z","updated_at":"2026-06-19T03:02:16.213Z","epss_percentage":0.00017,"epss_percentile":0.04215,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qeHE5LTc5dmotcmd2d84ABSzD","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1qeHE5LTc5dmotcmd2d84ABSzD","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"5.73.10","vulnerable_version_range":"\u003c 5.73.10"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qeHE5LTc5dmotcmd2d84ABSzD/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS04cjdyLWY0Z20td2Nwcc4ABSmo","url":"https://github.com/advisories/GHSA-8r7r-f4gm-wcpq","title":"Statamic affected by privilege escalation via stored cross-site scripting","description":"## Impact\n\nStored XSS vulnerability in `html` fieldtypes allow authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.\n\n## Patches\n\nThis has been fixed in 6.3.2 and 5.73.9.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-02-19T20:30:38.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq","https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b","https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3","https://nvd.nist.gov/vuln/detail/CVE-2026-27196","https://github.com/advisories/GHSA-8r7r-f4gm-wcpq"],"source_kind":"github","identifiers":["GHSA-8r7r-f4gm-wcpq","CVE-2026-27196"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-02-19T21:00:08.821Z","updated_at":"2026-06-17T17:02:32.354Z","epss_percentage":0.00014,"epss_percentile":0.02654,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04cjdyLWY0Z20td2Nwcc4ABSmo","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS04cjdyLWY0Z20td2Nwcc4ABSmo","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"5.73.9","vulnerable_version_range":"\u003c 5.73.9"},{"first_patched_version":"6.3.2","vulnerable_version_range":"\u003e= 6.0.0-alpha.1, \u003c 6.3.2"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04cjdyLWY0Z20td2Nwcc4ABSmo/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1mZjlyLXd3OWMtNDN4OM4ABSPB","url":"https://github.com/advisories/GHSA-ff9r-ww9c-43x8","title":"Statamic CMS vulnerable to privilege escalation via stored cross-site scripting","description":"### Impact\nStored XSS vulnerability in content titles allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.\n\nMalicious user must have an account with control panel access and content creation permissions.\n\nThis vulnerability can be exploited to allow super admin accounts to be created.\n\n### Patches\nThis has been fixed in 6.2.3.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-02-11T18:17:58.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.7,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-ff9r-ww9c-43x8","https://github.com/statamic/cms/releases/tag/v6.2.3","https://nvd.nist.gov/vuln/detail/CVE-2026-25759","https://github.com/statamic/cms/commit/6ed4f65f3387686d6dbd816e9b4f18a8d9736ff6","https://github.com/advisories/GHSA-ff9r-ww9c-43x8"],"source_kind":"github","identifiers":["GHSA-ff9r-ww9c-43x8","CVE-2026-25759"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-02-11T19:00:08.079Z","updated_at":"2026-06-14T01:02:09.348Z","epss_percentage":0.00016,"epss_percentile":0.03678,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mZjlyLXd3OWMtNDN4OM4ABSPB","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1mZjlyLXd3OWMtNDN4OM4ABSPB","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"6.2.3","vulnerable_version_range":"\u003e= 6.0.0, \u003c 6.2.3"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mZjlyLXd3OWMtNDN4OM4ABSPB/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1nd214LTlnY2otMzMyaM4ABSPA","url":"https://github.com/advisories/GHSA-gwmx-9gcj-332h","title":"Statamic CMS's missing authorization allows access to assets","description":"### Impact\nUsers without permission to view assets are able are able to download them and view their metadata.\n\nLogged-out users and users without permission to access the control panel are unable to take advantage of this.\n\n### Patches\nThis has been fixed in 5.73.6 and 6.2.5.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-02-11T16:53:35.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":4.3,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h","https://github.com/statamic/cms/pull/13883","https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a","https://github.com/statamic/cms/releases/tag/v5.73.6","https://github.com/statamic/cms/releases/tag/v6.2.5","https://nvd.nist.gov/vuln/detail/CVE-2026-25633","https://github.com/advisories/GHSA-gwmx-9gcj-332h"],"source_kind":"github","identifiers":["GHSA-gwmx-9gcj-332h","CVE-2026-25633"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-02-11T17:00:08.027Z","updated_at":"2026-06-14T01:02:09.348Z","epss_percentage":0.00015,"epss_percentile":0.03135,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nd214LTlnY2otMzMyaM4ABSPA","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1nd214LTlnY2otMzMyaM4ABSPA","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"6.2.5","vulnerable_version_range":"\u003e= 6.0.0-alpha.1, \u003c 6.2.5"},{"first_patched_version":"5.73.6","vulnerable_version_range":"\u003c 5.73.6"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nd214LTlnY2otMzMyaM4ABSPA/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1nNTlyLTI0ZzMtaDdjbc4ABOCu","url":"https://github.com/advisories/GHSA-g59r-24g3-h7cm","title":"Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation","description":"### Impact\n\nStored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.\n\nThis affects:\n\n- Control panel users with permission to create or edit Collections and Taxonomies\n- Versions up to and including 5.22.0\n\nThe vulnerability can be exploited to:\n\n- Change a super admin's password (versions ≤ 5.21.0)\n- Change a super admin's email address to initiate password reset (version 5.22.0)\n- Gain unauthorized access to superadmin accounts\n\nThe attack requires:\n\n- An authenticated user with control panel and content creation permissions\n- A super admin to view the compromised content\n\n### Patches\n\nThis has been fixed in 5.22.1.\n\n### Credits\n\nStatamic thanks [Wojtek Chwala](https://github.com/wojtekchwala) for responsibly reporting the identified issues and working with us as we addressed them.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2025-10-30T17:22:53.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.0,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","references":["https://github.com/statamic/cms/security/advisories/GHSA-g59r-24g3-h7cm","https://github.com/statamic/cms/releases/tag/v5.22.1","https://nvd.nist.gov/vuln/detail/CVE-2025-64112","https://github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1","https://github.com/advisories/GHSA-g59r-24g3-h7cm"],"source_kind":"github","identifiers":["GHSA-g59r-24g3-h7cm","CVE-2025-64112"],"repository_url":"https://github.com/statamic/cms","blast_radius":0.0,"created_at":"2025-10-30T18:00:08.165Z","updated_at":"2026-06-07T16:02:39.542Z","epss_percentage":0.00036,"epss_percentile":0.11014,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNTlyLTI0ZzMtaDdjbc4ABOCu","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1nNTlyLTI0ZzMtaDdjbc4ABOCu","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"5.22.1","vulnerable_version_range":"\u003c= 5.22.0"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNTlyLTI0ZzMtaDdjbc4ABOCu/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1wN2Y2LThtY20tZnd2M84ABBfv","url":"https://github.com/advisories/GHSA-p7f6-8mcm-fwv3","title":"Statamic CMS has a Path Traversal in Asset Upload","description":"Assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured.\n\n### Impact\n\n- Affects front-end forms with `assets` fields.\n- Affects other places where assets can be uploaded, although users would need upload permissions anyway.\n- Files can be uploaded so they would be located on the server in a different location, and potentially override existing files.\n- Traversal _outside_ an asset container was not possible.\n\n### Patches\n\nThis has been fixed in 5.17.0.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2024-11-19T18:03:07.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":5.3,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-p7f6-8mcm-fwv3","https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d","https://github.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346da","https://github.com/statamic/cms/commit/4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d","https://nvd.nist.gov/vuln/detail/CVE-2024-52600","https://github.com/advisories/GHSA-p7f6-8mcm-fwv3"],"source_kind":"github","identifiers":["GHSA-p7f6-8mcm-fwv3","CVE-2024-52600"],"repository_url":"https://github.com/statamic/cms","blast_radius":0.0,"created_at":"2024-11-19T19:06:55.033Z","updated_at":"2026-04-05T20:03:50.239Z","epss_percentage":0.00386,"epss_percentile":0.59525,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wN2Y2LThtY20tZnd2M84ABBfv","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1wN2Y2LThtY20tZnd2M84ABBfv","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"5.17.0","vulnerable_version_range":"\u003c= 5.16.0"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wN2Y2LThtY20tZnd2M84ABBfv/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1xdnBqLXc3eGotcjZ3Oc4AA8mW","url":"https://github.com/advisories/GHSA-qvpj-w7xj-r6w9","title":"Password confirmation stored in plain text via registration form in statamic/cms","description":"Users registering via the `user:register_form` tag will have their password confirmation stored in plain text in their user file.\n\n### Impact\nThis only affects sites matching **all** of the following conditions:\n- Running Statamic versions between 5.3.0 and 5.6.1. (This version range represents only one calendar week)\n- Using the `user:register_form` tag.\n- Using file-based user accounts. (Does not affect users stored in a database.)\n- Has users that have registered during that time period. (Existing users are not affected.)\n\nThe password is only visible to users that have access to read user yaml files, typically developers of the application itself.\n\n### Patches\nThe issue has been patched in 5.6.2, however any users registered during that time period and using the affected version range will still have the the `password_confirmation` value in their yaml files.\n\nWe recommend that affected users have their password reset. The following query can be entered into `php artisan tinker` and will output a list of affected emails:\n\n```php\nStatamic\\Facades\\User::query()-\u003ewhereNotNull('password_confirmation')-\u003eget()-\u003emap-\u003eemail\n```\n\nThe following can be entered into `tinker` and will clear both password_confirmation as well as their existing password. They will be required to reset their password before their next login attempt.\n\n```php\nStatamic\\Facades\\User::query()\n  -\u003ewhereNotNull('password_confirmation')-\u003eget()\n  -\u003eeach(fn ($user) =\u003e $user-\u003eremove('password_confirmation')-\u003epasswordHash(null)-\u003esave());\n```\n\n### References\nIf you are committing user files to a public git repo, you may consider clearing the sensitive data from the git history. You can use the following links for details.\n- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository\n- https://dev.to/balogh08/cleaning-your-git-history-safely-removing-sensitive-data-10i5","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-06-02T22:30:45.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":1.8,"cvss_vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-qvpj-w7xj-r6w9","https://nvd.nist.gov/vuln/detail/CVE-2024-36119","https://github.com/statamic/cms/commit/0b804306c96c99b81755d5bd02df87ddf392853e","https://dev.to/balogh08/cleaning-your-git-history-safely-removing-sensitive-data-10i5","https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository","https://github.com/advisories/GHSA-qvpj-w7xj-r6w9"],"source_kind":"github","identifiers":["GHSA-qvpj-w7xj-r6w9","CVE-2024-36119"],"repository_url":"https://github.com/statamic/cms","blast_radius":0.0,"created_at":"2024-06-02T23:05:10.691Z","updated_at":"2026-04-05T20:04:57.133Z","epss_percentage":0.00021,"epss_percentile":0.05518,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xdnBqLXc3eGotcjZ3Oc4AA8mW","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1xdnBqLXc3eGotcjZ3Oc4AA8mW","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"5.6.2","vulnerable_version_range":"\u003e= 5.3.0, \u003c 5.6.2"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xdnBqLXc3eGotcjZ3Oc4AA8mW/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS12cXhxLWh2eHctOW12Oc4AA4_z","url":"https://github.com/advisories/GHSA-vqxq-hvxw-9mv9","title":"Statmic CMS vulnerable to account takeover via XSS and password reset link","description":"### Impact\n\nHTML files crafted to look like jpg files are able to be uploaded, allowing for XSS.\n\nThis affects:\n\n- front-end forms with asset fields without any mime type validation\n- asset fields in the control panel\n- asset browser in the control panel\n\nAdditionally, if the XSS is crafted in a specific way, the \"copy password reset link\" feature may be exploited to gain access to a user's password reset token and gain access to their account. The authorized user is required to execute the XSS in order for the vulnerability to occur.\n\n### Patches\n\nIn versions 4.46.0 and 3.4.17, the XSS vulnerability has been patched, and the copy password reset link functionality has been disabled. (Users may still trigger password reset emails.)\n\n### Credits\n\nStatamic thanks Niklas Schilling (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2024-02-01T20:51:46.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.2,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9","https://nvd.nist.gov/vuln/detail/CVE-2024-24570","http://packetstormsecurity.com/files/177133/Statamic-CMS-Cross-Site-Scripting.html","http://seclists.org/fulldisclosure/2024/Feb/17","https://github.com/advisories/GHSA-vqxq-hvxw-9mv9"],"source_kind":"github","identifiers":["GHSA-vqxq-hvxw-9mv9","CVE-2024-24570"],"repository_url":"https://github.com/statamic/cms","blast_radius":0.0,"created_at":"2024-02-01T21:05:06.054Z","updated_at":"2026-06-09T13:07:13.028Z","epss_percentage":0.0144,"epss_percentile":0.80535,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12cXhxLWh2eHctOW12Oc4AA4_z","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS12cXhxLWh2eHctOW12Oc4AA4_z","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"3.4.17","vulnerable_version_range":"\u003c 3.4.17"},{"first_patched_version":"4.46.0","vulnerable_version_range":"\u003e= 4.00, \u003c 4.46.0"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12cXhxLWh2eHctOW12Oc4AA4_z/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS04ampoLWozYzItY2pjds4AA3U2","url":"https://github.com/advisories/GHSA-8jjh-j3c2-cjcv","title":"Cross-site Scripting via uploaded assets","description":"### Impact\nHTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the \"Forms\" feature containing an assets field, or within the control panel which requires authentication.\n\n### Patches\nIt has been patched on 3.4.15 and 4.36.0.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2023-11-22T20:55:07.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.5,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H","references":["https://github.com/statamic/cms/security/advisories/GHSA-8jjh-j3c2-cjcv","https://nvd.nist.gov/vuln/detail/CVE-2023-48701","https://github.com/statamic/cms/releases/tag/v3.4.15","https://github.com/statamic/cms/releases/tag/v4.36.0","https://github.com/advisories/GHSA-8jjh-j3c2-cjcv"],"source_kind":"github","identifiers":["GHSA-8jjh-j3c2-cjcv","CVE-2023-48701"],"repository_url":"https://github.com/statamic/cms","blast_radius":0.0,"created_at":"2023-11-22T21:05:56.509Z","updated_at":"2026-06-07T16:06:55.474Z","epss_percentage":0.00953,"epss_percentile":0.76505,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04ampoLWozYzItY2pjds4AA3U2","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS04ampoLWozYzItY2pjds4AA3U2","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"4.36.0","vulnerable_version_range":"\u003e= 4.0.0, \u003c 4.36.0"},{"first_patched_version":"3.4.15","vulnerable_version_range":"\u003c 3.4.15"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04ampoLWozYzItY2pjds4AA3U2/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS0ycjUzLTkyOTUtM204Ns4AA3K4","url":"https://github.com/advisories/GHSA-2r53-9295-3m86","title":"Statamic CMS vulnerable to remote code execution via form uploads","description":"### Impact\n\nSimilar to [another advisory](https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc), certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the \"Forms\" feature, and asset upload fields in the control panel.\n\n### Patches\nIt has been patched in 3.4.14 and 4.34.0.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2023-11-14T22:25:41.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.8,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","references":["https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86","https://github.com/statamic/cms/pull/8991","https://github.com/statamic/cms/pull/8992","https://github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411","https://github.com/statamic/cms/commit/da28afde818d605179fbb63b96eabafabad876b6","https://github.com/statamic/cms/releases/tag/v3.4.14","https://github.com/statamic/cms/releases/tag/v4.34.0","https://nvd.nist.gov/vuln/detail/CVE-2023-48217","https://github.com/advisories/GHSA-2r53-9295-3m86"],"source_kind":"github","identifiers":["GHSA-2r53-9295-3m86","CVE-2023-48217"],"repository_url":"https://github.com/statamic/cms","blast_radius":0.0,"created_at":"2023-11-14T23:05:49.088Z","updated_at":"2026-06-07T16:06:56.547Z","epss_percentage":0.01048,"epss_percentile":0.77504,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycjUzLTkyOTUtM204Ns4AA3K4","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS0ycjUzLTkyOTUtM204Ns4AA3K4","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"3.4.14","vulnerable_version_range":"\u003c 3.4.14"},{"first_patched_version":"4.34.0","vulnerable_version_range":"\u003e= 4.0.0, \u003c 4.34.0"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycjUzLTkyOTUtM204Ns4AA3K4/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS03MmhnLTV3cjUtcm1mY84AA3C3","url":"https://github.com/advisories/GHSA-72hg-5wr5-rmfc","title":"Statamic CMS remote code execution via front-end form uploads","description":"### Impact\nOn front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded regardless of mime validation rules. This only affects forms using the \"Forms\" feature and not just _any_ arbitrary form. This does not affect the control panel.\n\n### Patches\nIt has been patched in 3.4.13 and 4.33.0.\n","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2023-11-12T15:57:58.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.3,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","references":["https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc","https://nvd.nist.gov/vuln/detail/CVE-2023-47129","https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75","https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77","https://github.com/advisories/GHSA-72hg-5wr5-rmfc"],"source_kind":"github","identifiers":["GHSA-72hg-5wr5-rmfc","CVE-2023-47129"],"repository_url":"https://github.com/statamic/cms","blast_radius":0.0,"created_at":"2023-11-12T16:05:37.515Z","updated_at":"2026-06-14T01:06:52.130Z","epss_percentage":0.05963,"epss_percentile":0.90819,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03MmhnLTV3cjUtcm1mY84AA3C3","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS03MmhnLTV3cjUtcm1mY84AA3C3","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"3.4.13","vulnerable_version_range":"\u003c 3.4.13"},{"first_patched_version":"4.33.0","vulnerable_version_range":"\u003e= 4.0.0, \u003c 4.33.0"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03MmhnLTV3cjUtcm1mY84AA3C3/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS02cjVnLWNxNHEtMzI3Z84AA0Xo","url":"https://github.com/advisories/GHSA-6r5g-cq4q-327g","title":"Statamic's Antlers sanitizer cannot effectively sanitize malicious SVG","description":"Antlers sanitizer cannot effectively sanitize malicious SVG\n\n### Summary\nThe SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform XSS attacks using SVG, even when using the `sanitize` function.\n\n### Details\nRegarding the previous discussion mentioned [here](https://github.com/statamic/cms/security/advisories/GHSA-jvw9-rrc5-39g6#advisory-comment-84322), it has been identified that the default blacklist in the **FilesFieldtypeController** (located at this [link](https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15)) only blocks certain file extensions such as php, php3, php4, php5, and phtml. This allows a malicious user to upload a manipulated SVG file disguised as a social media icon, potentially triggering an XSS vulnerability.\n\n### PoC Screenshot\n![image](https://user-images.githubusercontent.com/17494868/251093022-15f949e9-2014-4069-850b-81940076745e.png)\n\n### PoC\n1. Create new Global set, let's say \"Settings\"\n2. Create a \"Grid\" field in Blueprint (named: social), then add somefields Name (text), URL (text) and Icon (Assets) in the section Fields.\n3. When calling the social setting in the `_footer.antlers.html`, remember to [sanitize](https://statamic.dev/modifiers/sanitize)\n```\n{{ settings:social }}\n    \u003ca href=\"{{ $url }}\" class=\"ml-4\" aria-label=\"{{ $name }}\" rel=\"noopener\"\u003e\n        {{ svg :src=\"icon\" class=\"h-6 w-6 hover:text-hot-pink\" | sanitize }}\n    \u003c/a\u003e\n{{ /settings:social }}\n```\n4. Upload the malicious SVG image, here is the code:\n```\n\u003c?xml version=\"1.0\" standalone=\"no\"?\u003e\n\u003c!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"\u003e\n\n\u003csvg width=\"500\" height=\"500\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\"\u003e\n   \u003ctext x=\"20\" y=\"35\"\u003eStatamic\u003c/text\u003e\n   \u003cforeignObject width=\"500\" height=\"500\"\u003e\n            \u003ciframe xmlns=\"http://www.w3.org/1999/xhtml\" src=\"javascript:confirm(document.cookie);\" width=\"400\" height=\"250\"/\u003e\n   \u003c/foreignObject\u003e\n\u003c/svg\u003e\n```\n\n\n\n### Impact\nSince the social media icon is displayed in the footer layout, any user can view it, potentially leading to the execution of XSS.\n\n### Suggestions to Mitigate or Resolve the Issue:\nSanitize when outputing the svg. This vulnerability caused by unsanitized `File::get()` when retrieving the SVG, it is crucial to sanitize the SVG when outputting it. The issue can be found in the following file: https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php#L36-L40.\n\nIt is highly recommended to implement proper sanitization measures to ensure the security of the SVG content. One effective approach is to utilize a reliable package, such as https://github.com/darylldoyle/svg-sanitizer ,which provides comprehensive SVG sanitization capabilities.\n\nSo the code becomes:\n```php\nuse enshrined\\svgSanitize\\Sanitizer;\n\nif (File::exists($file)) {\n                \n    $sanitizer = new Sanitizer();\n    $dirtySVG = File::get($file);\n\n    $svg = $sanitizer-\u003esanitize($dirtySVG);\n    break;\n}\n```\n\n### Reference\n- https://github.com/gogs/gogs/security/advisories/GHSA-ff28-f46g-r9g8\n- https://huntr.dev/bounties/34a12146-3a5d-4efc-a0f8-7a3ae04b198d/\n- https://blog.nintechnet.com/wordpress-elementor-plugin-fixed-svg-xss-protection-bypass-vulnerability/","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2023-07-06T20:56:28.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":5.5,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L","references":["https://github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g","https://nvd.nist.gov/vuln/detail/CVE-2023-36828","https://github.com/statamic/cms/pull/8408","https://github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d","https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15","https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php#L36-L40","https://github.com/statamic/cms/releases/tag/v4.10.0","https://github.com/advisories/GHSA-6r5g-cq4q-327g"],"source_kind":"github","identifiers":["GHSA-6r5g-cq4q-327g","CVE-2023-36828"],"repository_url":"https://github.com/statamic/cms","blast_radius":0.0,"created_at":"2023-07-06T21:03:47.920Z","updated_at":"2026-06-09T13:09:17.953Z","epss_percentage":0.00299,"epss_percentile":0.53507,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02cjVnLWNxNHEtMzI3Z84AA0Xo","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS02cjVnLWNxNHEtMzI3Z84AA0Xo","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"4.10.0","vulnerable_version_range":"\u003c 4.10.0"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02cjVnLWNxNHEtMzI3Z84AA0Xo/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS01bTY0LTlocTUtNXBmMs3zzg","url":"https://github.com/advisories/GHSA-5m64-9hq5-5pf2","title":"Statamic framework Incorrect Permission Assignment ","description":"Statamic framework before 2.6.0 does not correctly check a session's permissions when the methods from a user's class are called. Problematic methods include reset password, create new account, create new role, etc.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2022-05-13T01:12:20.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.8,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","references":["https://nvd.nist.gov/vuln/detail/CVE-2017-11422","https://github.com/advisories/GHSA-5m64-9hq5-5pf2"],"source_kind":"github","identifiers":["GHSA-5m64-9hq5-5pf2","CVE-2017-11422"],"repository_url":null,"blast_radius":0.0,"created_at":"2023-07-26T00:03:45.742Z","updated_at":"2026-06-14T01:07:06.799Z","epss_percentage":0.00203,"epss_percentile":0.42586,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01bTY0LTlocTUtNXBmMs3zzg","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS01bTY0LTlocTUtNXBmMs3zzg","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"2.6.0","vulnerable_version_range":"\u003c 2.6.0"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01bTY0LTlocTUtNXBmMs3zzg/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1xY2d4LTdwNWYtaHh2cs02gQ","url":"https://github.com/advisories/GHSA-qcgx-7p5f-hxvr","title":"Discoverability of user password hash in Statamic CMS","description":"## Description\n\nIt was possible to confirm a single character of a user's password hash (just the hash, not the password) using a specially crafted regular expression filter in the users endpoint of the REST API. Many requests could eventually uncover the entire hash.\n\nThe hash would not be in the response, however the presence or absence of a result would confirm if the character was in the right position. It would take a long time since the API has throttling enabled by default.\n\nAdditionally, the REST API would need to be enabled, as well as the users endpoint. Both of which are disabled by default.\n\n## Resolution\n\nFiltering by password or password hash has been disabled.\n\n## Credits\n\nWe would like to thank Thibaud Kehler for reporting the issue.","origin":"UNSPECIFIED","severity":"LOW","published_at":"2022-03-29T22:11:45.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":3.7,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","references":["https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr","https://nvd.nist.gov/vuln/detail/CVE-2022-24784","https://github.com/statamic/cms/issues/5604","https://github.com/statamic/cms/pull/5568","https://github.com/advisories/GHSA-qcgx-7p5f-hxvr"],"source_kind":"github","identifiers":["GHSA-qcgx-7p5f-hxvr","CVE-2022-24784"],"repository_url":"https://github.com/statamic/cms","blast_radius":0.0,"created_at":"2022-12-21T16:12:31.493Z","updated_at":"2026-06-19T03:10:18.196Z","epss_percentage":0.00268,"epss_percentile":0.50514,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xY2d4LTdwNWYtaHh2cs02gQ","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1xY2d4LTdwNWYtaHh2cs02gQ","packages":[{"ecosystem":"packagist","package_name":"statamic/cms","versions":[{"first_patched_version":"3.3.2","vulnerable_version_range":"\u003e= 3.3.0, \u003c 3.3.2"},{"first_patched_version":"3.2.39","vulnerable_version_range":"\u003c 3.2.39"}],"purl":null,"statistics":{"dependent_packages_count":377,"dependent_repos_count":388,"downloads":2991735,"downloads_period":"total"},"affected_versions":["v3.0.0","v3.0.0-beta.1","v3.0.0-beta.2","v3.0.0-beta.3","v3.0.0-beta.4","v3.0.0-beta.5","v3.0.0-beta.6","v3.0.0-beta.7","v3.0.0-beta.8","v3.0.0-beta.9","v3.0.0-beta.10","v3.0.0-beta.11","v3.0.0-beta.12","v3.0.0-beta.13","v3.0.0-beta.14","v3.0.0-beta.15","v3.0.0-beta.16","v3.0.0-beta.17","v3.0.0-beta.18","v3.0.0-beta.19","v3.0.0-beta.20","v3.0.0-beta.21","v3.0.0-beta.22","v3.0.0-beta.23","v3.0.0-beta.24","v3.0.0-beta.25","v3.0.0-beta.26","v3.0.0-beta.27","v3.0.0-beta.28","v3.0.0-beta.29","v3.0.0-beta.30","v3.0.0-beta.31","v3.0.0-beta.32","v3.0.0-beta.33","v3.0.0-beta.34","v3.0.0-beta.35","v3.0.0-beta.36","v3.0.0-beta.37","v3.0.0-beta.38","v3.0.0-beta.39","v3.0.0-beta.40","v3.0.0-beta.41","v3.0.0-beta.42","v3.0.0-beta.43","v3.0.0-beta.44","v3.0.0-beta.45","v3.0.0-beta.46","v3.0.1","v3.0.2","v3.0.3","v3.0.4","v3.0.5","v3.0.6","v3.0.7","v3.0.8","v3.0.9","v3.0.10","v3.0.11","v3.0.12","v3.0.13","v3.0.14","v3.0.15","v3.0.16","v3.0.17","v3.0.18","v3.0.19","v3.0.20","v3.0.21","v3.0.22","v3.0.23","v3.0.24","v3.0.25","v3.0.26","v3.0.27","v3.0.28","v3.0.29","v3.0.30","v3.0.31","v3.0.32","v3.0.33","v3.0.34","v3.0.35","v3.0.35.1","v3.0.36","v3.0.36.1","v3.0.37","v3.0.38","v3.0.39","v3.0.40","v3.0.41","v3.0.42","v3.0.43","v3.0.44","v3.0.45","v3.0.46","v3.0.47","v3.0.48","v3.0.49","v3.1.0","v3.1.0-alpha.1","v3.1.0-alpha.2","v3.1.0-alpha.3","v3.1.0-alpha.4","v3.1.0-beta.1","v3.1.0-beta.2","v3.1.0-beta.3","v3.1.1","v3.1.2","v3.1.3","v3.1.4","v3.1.5","v3.1.6","v3.1.7","v3.1.8","v3.1.9","v3.1.10","v3.1.11","v3.1.12","v3.1.13","v3.1.14","v3.1.15","v3.1.16","v3.1.17","v3.1.18","v3.1.19","v3.1.20","v3.1.21","v3.1.22","v3.1.23","v3.1.24","v3.1.25","v3.1.26","v3.1.27","v3.1.28","v3.1.29","v3.1.30","v3.1.31","v3.1.32","v3.1.33","v3.1.34","v3.1.35","v3.2.0","v3.2.0-beta.1","v3.2.1","v3.2.2","v3.2.3","v3.2.4","v3.2.5","v3.2.6","v3.2.7","v3.2.8","v3.2.9","v3.2.10","v3.2.11","v3.2.12","v3.2.13","v3.2.14","v3.2.15","v3.2.16","v3.2.17","v3.2.18","v3.2.19","v3.2.20","v3.2.21","v3.2.22","v3.2.23","v3.2.24","v3.2.25","v3.2.26","v3.2.27","v3.2.28","v3.2.29","v3.2.30","v3.2.31","v3.2.32","v3.2.33","v3.2.34","v3.2.35","v3.2.36","v3.2.37","v3.2.38","v3.3.0","v3.3.1"],"unaffected_versions":["v3.2.39","v3.3.2","v3.3.3","v3.3.4","v3.3.5","v3.3.6","v3.3.7","v3.3.8","v3.3.9","v3.3.10","v3.3.11","v3.3.12","v3.3.13","v3.3.14","v3.3.15","v3.3.16","v3.3.17","v3.3.18","v3.3.19","v3.3.20","v3.3.21","v3.3.22","v3.3.23","v3.3.24","v3.3.25","v3.3.26","v3.3.27","v3.3.28","v3.3.29","v3.3.30","v3.3.31","v3.3.32","v3.3.33","v3.3.34","v3.3.35","v3.3.36","v3.3.37","v3.3.38","v3.3.39","v3.3.40","v3.3.41","v3.3.42","v3.3.43","v3.3.44","v3.3.45","v3.3.46","v3.3.47","v3.3.48","v3.3.49","v3.3.50","v3.3.51","v3.3.52","v3.3.53","v3.3.54","v3.3.55","v3.3.56","v3.3.57","v3.3.58","v3.3.59","v3.3.60","v3.3.61","v3.3.62","v3.3.63","v3.3.64","v3.3.65","v3.3.66","v3.3.67","v3.3.68","v3.4.0","v3.4.1","v3.4.2","v3.4.3","v3.4.4","v3.4.5","v3.4.6","v3.4.7","v3.4.8","v3.4.9","v3.4.10","v3.4.11","v3.4.12","v3.4.13","v3.4.14","v3.4.15","v3.4.16","v3.4.17","v4.0.0","v4.1.0","v4.1.1","v4.1.2","v4.1.3","v4.2.0","v4.3.0","v4.4.0","v4.5.0","v4.6.0","v4.7.0","v4.8.0","v4.9.0","v4.9.1","v4.9.2","v4.10.0","v4.10.1","v4.10.2","v4.11.0","v4.12.0","v4.13.0","v4.13.1","v4.13.2","v4.14.0","v4.15.0","v4.16.0","v4.17.0","v4.18.0","v4.19.0","v4.20.0","v4.21.0","v4.22.0","v4.23.0","v4.23.1","v4.23.2","v4.24.0","v4.25.0","v4.26.0","v4.26.1","v4.27.0","v4.28.0","v4.29.0","v4.30.0","v4.31.0","v4.32.0","v4.33.0","v4.34.0","v4.35.0","v4.36.0","v4.37.0","v4.38.0","v4.39.0","v4.40.0","v4.41.0","v4.42.0","v4.42.1","v4.43.0","v4.44.0","v4.45.0","v4.46.0","v4.47.0","v4.48.0","v4.49.0","v4.50.0","v4.51.0","v4.52.0","v4.53.0","v4.53.1","v4.53.2","v4.54.0","v4.55.0","v4.56.0","v4.56.1","v4.57.0","v4.57.1","v4.57.2","v4.57.3","v4.58.0","v4.58.1","v4.58.2","v4.58.3","v5.0.0","v5.0.1","v5.0.2","v5.1.0","v5.2.0","v5.3.0","v5.4.0","v5.5.0","v5.6.0","v5.6.1","v5.6.2","v5.7.0","v5.7.1","v5.7.2","v5.7.3","v5.8.0","v5.9.0","v5.10.0","v5.11.0","v5.12.0","v5.13.0","v5.14.0","v5.15.0","v5.16.0","v5.17.0","v5.17.1","v5.18.0","v5.19.0","v5.20.0","v5.21.0","v5.22.0","v5.22.1","v5.23.0","v5.24.0","v5.25.0","v5.26.0","v5.27.0","v5.28.0","v5.29.0","v5.30.0","v5.31.0","v5.32.0","v5.33.0","v5.33.1","v5.34.0","v5.35.0","v5.36.0","v5.37.0","v5.38.0","v5.38.1","v5.39.0","v5.40.0","v5.41.0","v5.42.0","v5.42.1","v5.43.0","v5.43.1","v5.43.2","v5.44.0","v5.45.0","v5.45.1","v5.45.2","v5.46.0","v5.46.1","v5.47.0","v5.48.0","v5.48.1","v5.49.0","v5.49.1","v5.50.0","v5.51.0","v5.52.0","v5.53.0","v5.53.1","v5.54.0","v5.55.0","v5.56.0","v5.57.0","v5.58.0","v5.58.1","v5.59.0","v5.60.0","v5.61.0","v5.62.0","v5.63.0","v5.64.0","v5.65.0","v5.65.1","v5.65.2","v5.66.0","v5.67.0","v5.68.0","v5.69.0","v5.70.0","v5.71.0","v5.72.0"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xY2d4LTdwNWYtaHh2cs02gQ/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/packagist/statamic/cms","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/packagist/statamic/cms","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/packagist/statamic/cms/dependencies","status":null,"funding_links":["https://github.com/statamic","https://github.com/sponsors/statamic"],"critical":null,"issue_metadata":{"last_synced_at":"2026-02-27T23:01:07.447Z","issues_count":1707,"pull_requests_count":3822,"avg_time_to_close_issue":17771191.98612182,"avg_time_to_close_pull_request":1614953.412330827,"issues_closed_count":1296,"pull_requests_closed_count":3324,"pull_request_authors_count":196,"issue_authors_count":599,"avg_comments_per_issue":2.4229642647920326,"avg_comments_per_pull_request":1.0170068027210883,"merged_pull_requests_count":2887,"bot_issues_count":0,"bot_pull_requests_count":46,"past_year_issues_count":311,"past_year_pull_requests_count":713,"past_year_avg_time_to_close_issue":492796.8959537572,"past_year_avg_time_to_close_pull_request":346170.2813765182,"past_year_issues_closed_count":173,"past_year_pull_requests_closed_count":494,"past_year_pull_request_authors_count":66,"past_year_issue_authors_count":139,"past_year_avg_comments_per_issue":0.8938906752411575,"past_year_avg_comments_per_pull_request":0.391304347826087,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":12,"past_year_merged_pull_requests_count":459,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/statamic%2Fcms/issues","maintainers":[{"login":"duncanmcclean","count":1052,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/duncanmcclean"},{"login":"jasonvarga","count":514,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/jasonvarga"},{"login":"jackmcdade","count":137,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/jackmcdade"},{"login":"jesseleite","count":127,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/jesseleite"},{"login":"joshuablum","count":17,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/joshuablum"},{"login":"pcpark98","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/pcpark98"}],"active_maintainers":[{"login":"duncanmcclean","count":215,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/duncanmcclean"},{"login":"jasonvarga","count":93,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/jasonvarga"},{"login":"jackmcdade","count":41,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/jackmcdade"},{"login":"jesseleite","count":24,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/jesseleite"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/packagist.org/packages/statamic%2Fcms/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/packagist.org/packages/statamic%2Fcms/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/packagist.org/packages/statamic%2Fcms/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/packagist.org/packages/statamic%2Fcms/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/packagist.org/packages/statamic%2Fcms/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/packagist.org/packages/statamic%2Fcms/codemeta","maintainers":[{"uuid":"jackmcdade","login":"jackmcdade","name":null,"email":null,"url":null,"packages_count":13,"html_url":"https://packagist.org/users/jackmcdade","role":null,"created_at":"2022-11-08T14:17:14.286Z","updated_at":"2022-11-08T14:17:14.286Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/packagist.org/maintainers/jackmcdade/packages"},{"uuid":"jesseleite","login":"jesseleite","name":null,"email":null,"url":null,"packages_count":6,"html_url":"https://packagist.org/users/jesseleite","role":null,"created_at":"2022-11-08T14:17:14.300Z","updated_at":"2022-11-08T14:17:14.300Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/packagist.org/maintainers/jesseleite/packages"},{"uuid":"statamic","login":"statamic","name":null,"email":null,"url":null,"packages_count":22,"html_url":"https://packagist.org/users/statamic","role":null,"created_at":"2022-11-08T14:17:14.308Z","updated_at":"2022-11-08T14:17:14.308Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/packagist.org/maintainers/statamic/packages"},{"uuid":"duncanmcclean","login":"duncanmcclean","name":null,"email":null,"url":null,"packages_count":19,"html_url":"https://packagist.org/users/duncanmcclean","role":null,"created_at":"2024-09-30T15:47:24.077Z","updated_at":"2024-09-30T15:47:24.077Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/packagist.org/maintainers/duncanmcclean/packages"}]}