Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.22 and 6.18.1, the Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP requests to internal addresses — including loopback, private network, and cloud metadata endpoints. This affects sites that pass user-supplied URLs to Glide. Sites running PHP 8.3 or newer are not affected. This vulnerability is fixed in 5.73.22 and 6.18.1.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/statamic/cms/security/advisories/GHSA-pf9c-ch8r-2958
Scores
CVSS v3
5.4
EPSS
0.0015
EPSS Percentile
4.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (4)
statamic/cms
0 - 5.73.22Packagist
statamic/cms
6.0.0-alpha.1 - 6.18.1Packagist
statamic/cms
< 5.73.22
statamic/cms
>= 6.0.0-alpha.1, < 6.18.1
Published
May 29, 2026
Tracked Since
May 29, 2026