CVE-2026-27593
Statamic is vulnerable to account takeover via password reset link injection
CVSS Score
9.3
EPSS Score
0.0%
EPSS Percentile
0th
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset. This has been fixed in 6.3.3 and 5.73.10.
| CWE | CWE-640 |
| Vendor | statamic |
| Product | cms |
| Published | Feb 24, 2026 |
| Last Updated | Feb 27, 2026 |
Stay Ahead of the Next One
Get instant alerts for statamic cms
Be the first to know when new critical vulnerabilities affecting statamic cms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
statamic / cms
< 5.73.10 >= 6.0.0-alpha.1, < 6.3.3
References
github.com: https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw github.com: https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e github.com: https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be github.com: https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0 github.com: https://github.com/statamic/cms/releases/tag/v5.73.10 github.com: https://github.com/statamic/cms/releases/tag/v6.3.3