Security: statamic/cms
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Missing authorization on navigation endpoint allows disclosure of restricted entriesGHSA-qh8c-7588-qfrv published
Jul 2, 2026 by jasonvargaModerate -
Unsafe method invocation via Antlers template resolution allows data destructionGHSA-j2vp-f2pv-5rj4 published
Jul 2, 2026 by jasonvargaModerate -
Missing authorization on Control Panel endpoint allows disclosure of user existenceGHSA-225x-3jhx-wh4q published
Jul 2, 2026 by jasonvargaModerate -
Account takeover via OAuth email matching without email-verification checkGHSA-93qh-5269-9wcf published
Jul 2, 2026 by jasonvargaHigh -
Incorrect authorization lets view-only users submit Live Preview content reserved for editorsGHSA-7mqq-4v55-88gh published
Jun 9, 2026 by jasonvargaLow -
CSV formula injection in form submission exportsGHSA-h77m-qrj7-jxcw published
Jun 3, 2026 by jasonvargaModerate -
Server-Side Request Forgery via Glide (DNS rebinding)GHSA-v5c4-wcpj-x73m published
Jun 3, 2026 by jasonvargaModerate -
Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resourcesGHSA-2497-6pwj-pwg7 published
May 25, 2026 by jasonvargaModerate -
Unsafe method invocation via collection sorting allows data destructionGHSA-m92m-r54r-x8r2 published
May 25, 2026 by jasonvargaHigh -
Server-Side Request Forgery via GlideGHSA-pf9c-ch8r-2958 published
May 11, 2026 by jasonvargaModerate