PT-2026-41695 · Statamic+1 · Cms+1

Haoit

Published

2026-05-18

Updated

2026-05-31

CVE-2026-45660

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.22 Statamic versions prior to 6.18.1

Description The Glide image proxy contains a flaw where URL validation can be bypassed using an IP representation that is not normalized before the public-IP check. This allows an unauthenticated user to force the server to make HTTP requests to internal addresses, such as loopback, private networks, and cloud metadata endpoints. This issue specifically affects sites that pass user-supplied URLs to Glide and does not impact sites running PHP 8.3 or newer.

Recommendations Update to version 5.73.22. Update to version 6.18.1.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2026-45660

GHSA-PF9C-CH8R-2958

Affected Products

Cms

Statamic Cms

PT-2026-41695 · Statamic+1 · Cms+1

CVE-2026-45660

Weakness Enumeration

Related Identifiers

Affected Products

References · 8