CVE-2023-47129

HIGH

Statamic < 3.4.13 and 4.0.0-4.33.0 - Unrestricted Upload of File with Dangerous Type via Front-End Forms

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-47129. PoCs published by Cyber-Wo0dy.

AI-analyzed exploit summary This repository provides a detailed technical writeup for CVE-2023-47129, a remote code execution vulnerability in Statamic CMS versions <4.33.0. It explains how an attacker can bypass mime validation to upload malicious PHP files disguised as images, leading to arbitrary code execution.

Description

Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0.

Exploits (1)

nomisec WRITEUP 3 stars

by Cyber-Wo0dy · poc

https://github.com/Cyber-Wo0dy/CVE-2023-47129

View Code ZIP pw:eip

This repository provides a detailed technical writeup for CVE-2023-47129, a remote code execution vulnerability in Statamic CMS versions <4.33.0. It explains how an attacker can bypass mime validation to upload malicious PHP files disguised as images, leading to arbitrary code execution.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Statamic CMS <4.33.0

No auth needed

Prerequisites: Statamic CMS installation with a form containing an Asset Field · Ability to upload files via the form

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1204 - User Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc

Patch x_refsource_misc

https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77

View Patch ZIP pw:eip

Scores

CVSS v3 8.3

EPSS 0.0596

EPSS Percentile 90.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (2)

statamic/cms 4.0.0 - 4.33.0Packagist

statamic/statamic < 3.4.13

Published Nov 10, 2023

Tracked Since Feb 18, 2026