๐Ÿ” CVE Alert

CVE-2026-54244

LOW 3.5

Statamic: Incorrect authorization lets view-only users submit Live Preview content reserved for editors

CVSS Score
3.5
EPSS Score
0.0%
EPSS Percentile
0th

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.74.0 and 6.20.3, the Live Preview endpoint for existing entries and terms in src/Http/Controllers/CP/PreviewController.php only checked view authorization, but it accepts and renders caller-supplied field values. A Control Panel user with view but not edit permission could therefore submit content they were not authorized to author and generate a shareable Live Preview URL rendering it. This issue is fixed in versions 5.74.0 and 6.20.3.

CWE CWE-863
Vendor statamic
Product cms
Published Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for statamic cms

Be the first to know when new low vulnerabilities affecting statamic cms are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Affected Versions

statamic / cms
< 5.74.0 >= 6.0.0, < 6.20.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/statamic/cms/security/advisories/GHSA-7mqq-4v55-88gh github.com: https://github.com/statamic/cms/pull/14791 github.com: https://github.com/statamic/cms/commit/87b9998f4d9e40de53346402ccf6eb3c17ba168f github.com: https://github.com/statamic/cms/releases/tag/v5.74.0 github.com: https://github.com/statamic/cms/releases/tag/v6.20.3