{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28424", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T15:54:05.136Z", "datePublished": "2026-02-27T22:14:01.779Z", "dateUpdated": "2026-03-02T19:36:06.660Z"}, "containers": {"cna": {"title": "Statamic's missing authorization allows access to email addresses", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63"}, {"name": "https://github.com/statamic/cms/releases/tag/v5.73.11", "tags": ["x_refsource_MISC"], "url": "https://github.com/statamic/cms/releases/tag/v5.73.11"}, {"name": "https://github.com/statamic/cms/releases/tag/v6.4.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/statamic/cms/releases/tag/v6.4.0"}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"version": "< 5.73.11", "status": "affected"}, {"version": ">= 6.0.0, < 6.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T22:14:01.779Z"}, "descriptions": [{"lang": "en", "value": "Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype\u2019s data endpoint for control panel users who did not have the \"view users\" permission. This has been fixed in 5.73.11 and 6.4.0."}], "source": {"advisory": "GHSA-w878-f8c6-7r63", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T19:35:55.949657Z", "id": "CVE-2026-28424", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T19:36:06.660Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28424", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-02T19:35:55.949657Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T19:36:00.974Z"}}], "cna": {"title": "Statamic's missing authorization allows access to email addresses", "source": {"advisory": "GHSA-w878-f8c6-7r63", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"status": "affected", "version": "< 5.73.11"}, {"status": "affected", "version": ">= 6.0.0, < 6.4.0"}]}], "references": [{"url": "https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63", "name": "https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/statamic/cms/releases/tag/v5.73.11", "name": "https://github.com/statamic/cms/releases/tag/v5.73.11", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/statamic/cms/releases/tag/v6.4.0", "name": "https://github.com/statamic/cms/releases/tag/v6.4.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype\u2019s data endpoint for control panel users who did not have the \"view users\" permission. This has been fixed in 5.73.11 and 6.4.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T22:14:01.779Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28424", "state": "PUBLISHED", "dateUpdated": "2026-03-02T19:36:06.660Z", "dateReserved": "2026-02-27T15:54:05.136Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-27T22:14:01.779Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "6AA21E74-C3F2-4275-8DEE-DF4DFBF43788", "versionEndExcluding": "5.73.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA6EDD8D-7679-4292-8F49-71B2B3ACEC87", "versionEndExcluding": "6.4.0", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype\u2019s data endpoint for control panel users who did not have the \"view users\" permission. This has been fixed in 5.73.11 and 6.4.0."}, {"lang": "es", "value": "Statmatic es un sistema de gesti\u00f3n de contenidos (CMS) impulsado por Laravel y Git. Antes de las versiones 5.73.11 y 6.4.0, las direcciones de correo electr\u00f3nico de los usuarios se inclu\u00edan en las respuestas del endpoint de datos del tipo de campo de usuario para los usuarios del panel de control que no ten\u00edan el permiso de 'ver usuarios'. Esto se ha corregido en las versiones 5.73.11 y 6.4.0."}], "id": "CVE-2026-28424", "lastModified": "2026-03-05T14:46:10.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-02-27T23:16:05.447", "references": [{"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/statamic/cms/releases/tag/v5.73.11"}, {"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/statamic/cms/releases/tag/v6.4.0"}, {"source": "[email protected]", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.73.11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0,6.4.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "statamic"}, "product": "cms", "vendor": "statamic"}], "created": "2026-03-02T12:04:30.911151+00:00", "updated": "2026-03-02T12:04:30.911268+00:00", "vendors": ["statamic", "statamic$PRODUCT$cms"]}