PT-2026-28553 · Statamic · Statamic

Published

2026-03-26

Updated

2026-03-28

CVE-2026-33886

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Statamic versions 5.7.12 through 5.73.15 Statamic versions 6.7.0 through 6.7.1

Description A control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content. The issue involves the ability to access application configuration values through the insertion of config variables within content managed via Antlers-enabled fields.

Recommendations Update to Statamic version 5.73.16 or later. Update to Statamic version 6.7.2 or later.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2026-33886

GHSA-GCQF-5X9F-HQ7F

Affected Products

Statamic

PT-2026-28553 · Statamic · Statamic

CVE-2026-33886

Weakness Enumeration

Related Identifiers

Affected Products

References · 7