CVE-2026-33884

Published: Mar 27, 2026Modified: Apr 8, 2026

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16 and 6.7.2.

Affected (2)

Products: Statamic: Statamic

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Statamic Statamic	Before 5.73.16
Statamic Statamic	From 6.0.0 to 6.7.2

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (1)

https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.