PT-2026-53029 · Packagist · Statamic Cms
Published
2026-06-26
·
Updated
2026-06-26
·
CVE-2026-54244
CVSS v3.1
3.5
Low
| Vector | AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N |
Impact
The Live Preview endpoint for existing entries and terms only checked view authorization, but it accepts and renders caller-supplied field values. A Control Panel user with view but not edit permission could therefore submit content they were not authorized to author and generate a shareable Live Preview URL rendering it.
Patches
This has been fixed in 5.74.0 and 6.20.3.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Statamic Cms