PT-2026-28554 · Statamic · Statamic

Published

2026-03-26

Updated

2026-04-08

CVE-2026-33887

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.16 Statamic versions prior to 6.7.2

Description Statamic is a Laravel and Git powered content management system (CMS). Authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data. Users could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content.

Recommendations Update to Statamic version 5.73.16 or later. Update to Statamic version 6.7.2 or later.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-33887

GHSA-4HP7-3WXG-CV9Q

Affected Products

Statamic

PT-2026-28554 · Statamic · Statamic

CVE-2026-33887

Weakness Enumeration

Related Identifiers

Affected Products

References · 8