CVE-2026-25633

Published: Feb 11, 2026Modified: Feb 18, 2026

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5.

Affected (2)

Products: Statamic: Statamic

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Statamic Statamic	Before 5.73.6
Statamic Statamic	From 6.0.0 to 6.2.5

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (4)

https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a

Source: security-advisories@github.com

PatchProduct

https://github.com/statamic/cms/releases/tag/v5.73.6

Source: security-advisories@github.com

Release Notes

https://github.com/statamic/cms/releases/tag/v6.2.5

Source: security-advisories@github.com

Release Notes

https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.