Statamic/cms

This hub aggregates every CVE we track for Statamic/cms, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Statamic/cms.

• CVE-2026-32612Statamic: privilege escalation via stored cross-site scripting5.4Mar 12, 2026
• CVE-2026-28426Statamic vulnerable to privilege escalation via stored cross-site scripting8.7Feb 27, 2026
• CVE-2026-28425Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs8.0Feb 27, 2026
• CVE-2026-28424Statamic's missing authorization allows access to email addresses6.5Feb 27, 2026
• CVE-2026-28423Statamic Vulnerable to Server-Side Request Forgery via Glide6.8Feb 27, 2026
• CVE-2026-27939Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass8.8Feb 27, 2026
• CVE-2026-27593Statamic is vulnerable to account takeover via password reset link injection9.3Feb 24, 2026
• CVE-2026-27196Statamic affected by privilege escalation via stored Cross-site Scripting8.1Feb 21, 2026
• CVE-2026-25759Statmatic affected by privilege escalation via stored cross-site scripting8.7Feb 11, 2026
• CVE-2026-25633Statamic's missing authorization allows access to assets4.3Feb 11, 2026
• CVE-2025-64112Statmatic vulnerable to Stored Cross-Site Scripting8.0Oct 30, 2025
• CVE-2024-52600Statamic CMS has Path Traversal in Asset Upload5.3Nov 19, 2024
• CVE-2024-36119Password confirmation stored in plain text via registration form in statamic/cms1.8May 30, 2024
• CVE-2024-24570Statamic account takeover via XSS and password reset link8.2Feb 1, 2024
• CVE-2023-48701Statamic CMS vulnerable to Cross-site Scripting via uploaded assets7.5Nov 21, 2023