PT-2026-28549 · Statamic · Statamic

Publicado

2026-03-26

Atualizado

2026-04-08

CVE-2026-33882

CVSS v3.1

6.5

Média

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.16 Statamic versions prior to 6.7.2

Description The markdown preview endpoint in Statamic could be manipulated to retrieve augmented data from arbitrary fieldtypes. Specifically, an authenticated control panel user could access sensitive user data, including email addresses, encrypted passkey data, and encrypted two-factor authentication codes, through the users fieldtype. The /preview API endpoint is affected. The vulnerable parameter is the fieldtype used in the markdown preview.

Recommendations Update to Statamic version 5.73.16 or later. Update to Statamic version 6.7.2 or later.

Exploit

Correção

RCE

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20CWE-200

Identificadores relacionados

CVE-2026-33882

GHSA-CVH3-23VQ-W7H4

Produtos afetados

Statamic

PT-2026-28549 · Statamic · Statamic

CVE-2026-33882

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 8