CVE-2026-33884

MEDIUM

Statamic's live preview token bypasses content protection for unrelated entries

Title source: cna

Description

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16 and 6.7.2.

References (1)

[X_Refsource_Confirm] https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 9.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (4)

statamic/cms 0 - 5.73.16Packagist

statamic/cms < 5.73.16

statamic/cms >= 6.0.0-alpha.1, < 6.7.2

statamic/statamic < 5.73.16

Published Mar 27, 2026

Tracked Since Mar 29, 2026