CVE-2026-33886

MEDIUM

Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields

Title source: cna

Description

Statamic is a Laravel and Git powered content management system (CMS). Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content. This has been fixed in 5.73.16 and 6.7.2.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/statamic/cms/security/advisories/GHSA-gcqf-5x9f-hq7f

Scores

CVSS v3 6.5

EPSS 0.0022

EPSS Percentile 12.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (4)

statamic/cms 5.73.12 - 5.73.16Packagist

statamic/cms >= 5.73.12, < 5.73.16

statamic/cms >= 6.0.0.alpha.1, < 6.7.2

statamic/statamic 5.73.12 - 5.73.16

Published Mar 27, 2026

Tracked Since Mar 29, 2026