CVE-2026-27939
Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the userβs existing permissions, may lead to privilege escalation. This has been fixed in 6.4.0.
| CWE | CWE-287 |
| Vendor | statamic |
| Product | cms |
| Published | Feb 27, 2026 |
| Last Updated | Mar 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for statamic cms
Be the first to know when new high vulnerabilities affecting statamic cms are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
statamic / cms
>= 6.0.0, < 6.4.0