CVE-2026-28423

Published: Feb 27, 2026Modified: Mar 5, 2026

8.6

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 4.0

Source: NVD

Description

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0.

Affected (2)

Products: Statamic: Statamic

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Statamic Statamic	Before 5.73.11
Statamic Statamic	From 6.0.0 to 6.4.0

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (3)

https://github.com/statamic/cms/releases/tag/v5.73.11

Source: security-advisories@github.com

Release Notes

https://github.com/statamic/cms/releases/tag/v6.4.0

Source: security-advisories@github.com

Release Notes

https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp

Source: security-advisories@github.com

PatchVendor Advisory

Timeline

No history available yet.