PT-2026-28549 · Statamic · Statamic

Published

2026-03-26

Updated

2026-04-08

CVE-2026-33882

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.16 Statamic versions prior to 6.7.2

Description The markdown preview endpoint in Statamic could be manipulated to retrieve augmented data from arbitrary fieldtypes. Specifically, an authenticated control panel user could access sensitive user data, including email addresses, encrypted passkey data, and encrypted two-factor authentication codes, through the users fieldtype. The /preview API endpoint is affected. The vulnerable parameter is the fieldtype used in the markdown preview.

Recommendations Update to Statamic version 5.73.16 or later. Update to Statamic version 6.7.2 or later.

Exploit

Fix

RCE

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-200

Related Identifiers

CVE-2026-33882

GHSA-CVH3-23VQ-W7H4

Affected Products

Statamic

PT-2026-28549 · Statamic · Statamic

CVE-2026-33882

Weakness Enumeration

Related Identifiers

Affected Products

References · 8