PT-2026-28550 · Statamic · Statamic
Published
2026-03-26
·
Updated
2026-03-28
·
CVE-2026-33883
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Statamic versions prior to 5.73.16
Statamic versions prior to 6.7.2
Description
The
user:reset password form tag does not properly escape user-supplied input before rendering it as HTML, potentially allowing an attacker to inject and execute arbitrary JavaScript code in a victim's browser. This can be achieved by crafting a malicious URL. The vulnerable component is the user:reset password form tag. The vulnerable parameter is user input.Recommendations
Update to Statamic version 5.73.16 or later.
Update to Statamic version 6.7.2 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Statamic