statamic/cms Security Advisories for v5.73.10 (4)
-
[HIGH] Statamic vulnerable to privilege escalation via stored cross-site scripting
PKSA-81wb-3yhb-txs4 CVE-2026-28426 GHSA-5vrj-wf7v-5wr7
Affected version: >=6.0.0-alpha.1,<6.4.0|<5.73.11
Reported by:
GitHub -
[HIGH] Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs
PKSA-skzr-by55-tmc5 CVE-2026-28425 GHSA-cpv7-q2wx-m8rw
Affected version: >=6.0.0-alpha.1,<6.4.0|<5.73.11
Reported by:
GitHub -
[MEDIUM] Statamic's missing authorization allows access to email addresses
PKSA-hycr-3628-cp88 CVE-2026-28424 GHSA-w878-f8c6-7r63
Affected version: >=6.0.0-alpha.1,<6.4.0|<5.73.11
Reported by:
GitHub -
[MEDIUM] Statamic Vulnerable to Server-Side Request Forgery via Glide
PKSA-n7ys-rxzm-bn18 CVE-2026-28423 GHSA-cwpp-325q-2cvp
Affected version: >=6.0.0-alpha.1,<6.4.0|<5.73.11
Reported by:
GitHub