CVE-2026-28424

Published: Feb 27, 2026Modified: Mar 5, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 and 6.4.0.

Affected (2)

Products: Statamic: Statamic

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Statamic Statamic	Before 5.73.11
Statamic Statamic	From 6.0.0 to 6.4.0

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (3)

https://github.com/statamic/cms/releases/tag/v5.73.11

Source: security-advisories@github.com

Release Notes

https://github.com/statamic/cms/releases/tag/v6.4.0

Source: security-advisories@github.com

Release Notes

https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63

Source: security-advisories@github.com

PatchVendor Advisory

Timeline

No history available yet.