CVE-2026-33886

EUVD-2026-16830
Statamic is a Laravel and Git powered content management system (CMS). Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content. This has been fixed in 5.73.16 and 6.7.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
Affected Products (NVD)
VendorProductVersion
statamicstatamic
5.73.12 ≤
𝑥
< 5.73.16
statamicstatamic
6.5.0 ≤
𝑥
< 6.7.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/statamic/cms/security/advisories/GHSA-gcqf-5x9f-hq7f