PT-2026-53029 · Packagist · Statamic Cms

Published

2026-06-26

·

Updated

2026-06-26

·

CVE-2026-54244

CVSS v3.1

3.5

Low

VectorAV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Impact

The Live Preview endpoint for existing entries and terms only checked view authorization, but it accepts and renders caller-supplied field values. A Control Panel user with view but not edit permission could therefore submit content they were not authorized to author and generate a shareable Live Preview URL rendering it.

Patches

This has been fixed in 5.74.0 and 6.20.3.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54244
GHSA-7MQQ-4V55-88GH

Affected Products

Statamic Cms