{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28423", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T15:54:05.136Z", "datePublished": "2026-02-27T22:11:55.802Z", "dateUpdated": "2026-03-02T21:48:43.597Z"}, "containers": {"cna": {"title": "Statamic Vulnerable to Server-Side Request Forgery via Glide", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp"}, {"name": "https://github.com/statamic/cms/releases/tag/v5.73.11", "tags": ["x_refsource_MISC"], "url": "https://github.com/statamic/cms/releases/tag/v5.73.11"}, {"name": "https://github.com/statamic/cms/releases/tag/v6.4.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/statamic/cms/releases/tag/v6.4.0"}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"version": "< 5.73.11", "status": "affected"}, {"version": ">= 6.0.0, < 6.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T22:11:55.802Z"}, "descriptions": [{"lang": "en", "value": "Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs\u2014either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0."}], "source": {"advisory": "GHSA-cwpp-325q-2cvp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T21:48:27.523038Z", "id": "CVE-2026-28423", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T21:48:43.597Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28423", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-02T21:48:27.523038Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T21:48:37.669Z"}}], "cna": {"title": "Statamic Vulnerable to Server-Side Request Forgery via Glide", "source": {"advisory": "GHSA-cwpp-325q-2cvp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"status": "affected", "version": "< 5.73.11"}, {"status": "affected", "version": ">= 6.0.0, < 6.4.0"}]}], "references": [{"url": "https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp", "name": "https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/statamic/cms/releases/tag/v5.73.11", "name": "https://github.com/statamic/cms/releases/tag/v5.73.11", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/statamic/cms/releases/tag/v6.4.0", "name": "https://github.com/statamic/cms/releases/tag/v6.4.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs\u2014either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T22:11:55.802Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28423", "state": "PUBLISHED", "dateUpdated": "2026-03-02T21:48:43.597Z", "dateReserved": "2026-02-27T15:54:05.136Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-27T22:11:55.802Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "6AA21E74-C3F2-4275-8DEE-DF4DFBF43788", "versionEndExcluding": "5.73.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA6EDD8D-7679-4292-8F49-71B2B3ACEC87", "versionEndExcluding": "6.4.0", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs\u2014either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0."}, {"lang": "es", "value": "Statmatic es un sistema de gesti\u00f3n de contenido (CMS) impulsado por Laravel y Git. Antes de las versiones 5.73.11 y 6.4.0, cuando la manipulaci\u00f3n de im\u00e1genes de Glide se utiliza en modo inseguro (lo cual no es el predeterminado), el proxy de im\u00e1genes puede ser explotado por un usuario no autenticado para hacer que el servidor env\u00ede solicitudes HTTP a URLs arbitrarias, ya sea directamente a trav\u00e9s de la URL o mediante la funci\u00f3n de marca de agua. Eso puede permitir el acceso a servicios internos, endpoints de metadatos en la nube y otros hosts accesibles desde el servidor. Esto ha sido corregido en las versiones 5.73.11 y 6.4.0."}], "id": "CVE-2026-28423", "lastModified": "2026-03-05T14:47:10.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.0, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "[email protected]", "type": "Primary"}]}, "published": "2026-02-27T23:16:05.283", "references": [{"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/statamic/cms/releases/tag/v5.73.11"}, {"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/statamic/cms/releases/tag/v6.4.0"}, {"source": "[email protected]", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.73.11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0,6.4.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "statamic"}, "product": "cms", "vendor": "statamic"}], "created": "2026-03-02T12:04:32.663283+00:00", "updated": "2026-03-02T12:04:32.663373+00:00", "vendors": ["statamic", "statamic$PRODUCT$cms"]}