CVE-2026-25633

MEDIUM EPSS 20.2%
Published Feb 11, 20264mo ago · Modified Feb 18, 20264mo ago
4.3 CVSS 3.1
Medium
Find Similar
Published Feb 11, 2026 4mo ago
Last Modified Feb 18, 2026 4mo ago

Description

Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5.

CVSS Details

Base Score
4.3
Exploitability
2.8
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
20.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-862 Missing Authorization Authorization

Affected Products 2

VendorProductVersionRange
statamicstatamic* <5.73.6
statamicstatamic*≥6.0.0  –  <6.2.5

References 4

  • github.com https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a
    PatchProduct
  • github.com https://github.com/statamic/cms/releases/tag/v5.73.6
    Release Notes
  • github.com https://github.com/statamic/cms/releases/tag/v6.2.5
    Release Notes
  • github.com https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h
    Vendor Advisory

Remediation

  • github.com https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a
    PatchProduct