CVE-2026-25633

EUVD-2026-6201
Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
GitHub_MCNA
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
Affected Products (NVD)
VendorProductVersion
statamicstatamic
𝑥
< 5.73.6
statamicstatamic
6.0.0 ≤
𝑥
< 6.2.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a
https://github.com/statamic/cms/releases/tag/v5.73.6
https://github.com/statamic/cms/releases/tag/v6.2.5
https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h