Composer CVE Archive

statamic/cms CVE Vulnerabilities

All known CVEs affecting statamic/cms. Kodem’s runtime-powered SCA reveals which are actually reachable in your application.

Known vulnerabilities
CVE
Summary
Severity
CVE-2026-54243
Statamic Vulnerable to CSV formula injection in form submission exports
Medium
CVE-2026-54242
Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding)
Medium
CVE-2026-49287
Statamic CMS's unsafe method invocation via collection sorting allows data…
High
CVE-2026-49288
Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows…
Medium
CVE-2026-45660
Statamic CMS: Server-Side Request Forgery via Glide
Medium
CVE-2026-44306
Statamic CMS vulnerable to email enumeration via forgot password endpoint
Medium
CVE-2026-41175
Statamic: Unsafe method invocation via query value resolution allows data…
High
CVE-2026-33887
Statamic allows unauthorized content access through missing authorization in…
Medium
CVE-2026-33886
Statamic's sensitive configuration values are exposed to content editors via…
Medium
CVE-2026-33885
Statamic has an Open Redirect on unauthenticated endpoints via URL parsing…
Medium
CVE-2026-33884
Statamic's live preview token bypasses content protection for unrelated entries
Medium
CVE-2026-33883
Statamic has Reflected XSS via unescaped redirect parameter in its password…
Medium
CVE-2026-33882
Statamic's Markdown preview endpoint exposes sensitive user data
Medium
CVE-2026-33177
Statamic is missing authorization check on taxonomy term creation via fieldtype
Medium
CVE-2026-33171
Statamic has a path traversal in file dictionary fieldtype
Medium
CVE-2026-33172
Statamic has Stored XSS via SVG Sanitization Bypass
High
CVE-2026-32612
Statamic vulnerable to privilege escalation via stored cross-site scripting
Medium
CVE-2026-28426
Statamic vulnerable to privilege escalation via stored cross-site scripting
High
CVE-2026-28425
Statamic vulnerable to remote code execution via Antlers-enabled control panel…
High
CVE-2026-28424
Statamic's missing authorization allows access to email addresses
Medium
CVE-2026-28423
Statamic Vulnerable to Server-Side Request Forgery via Glide
Medium
CVE-2026-27939
Statamic allows Authenticated Control Panel users to escalate privileges via…
High
CVE-2026-27593
Statamic is vulnerable to account takeover via password reset link injection
Critical
CVE-2026-27196
Statamic affected by privilege escalation via stored cross-site scripting
High
CVE-2026-25759
Statamic CMS vulnerable to privilege escalation via stored cross-site scripting
High
CVE-2026-25633
Statamic CMS's missing authorization allows access to assets
Medium
CVE-2025-64112
Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site…
High
CVE-2024-52600
Statamic CMS has a Path Traversal in Asset Upload
Medium
CVE-2024-24570
Statmic CMS vulnerable to account takeover via XSS and password reset link
High
CVE-2023-48701
Cross-site Scripting via uploaded assets
High
CVE-2023-48217
Statamic CMS vulnerable to remote code execution via form uploads
High
CVE-2023-47129
Statamic CMS remote code execution via front-end form uploads
High
CVE-2023-36828
Statamic's Antlers sanitizer cannot effectively sanitize malicious SVG
Medium
CVE-2017-11422
Statamic framework Incorrect Permission Assignment
High

Prioritize statamic/cms vulnerabilities

Kodem Kai can identify which of these CVEs are reachable in your dependency tree and generate targeted fix recommendations.

Get a demo →

Stop the waste.
Protect your environment with Kodem.

Get a personalized demo
Get a personalized demo