CVE-2026-25633

Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a	Patch Product
https://github.com/statamic/cms/releases/tag/v5.73.6	Release Notes
https://github.com/statamic/cms/releases/tag/v6.2.5	Release Notes
https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:statamic:statamic::::::::
	cpe:2.3:a:statamic:statamic::::::::

History

No history.

Information

Published : 2026-02-11 21:16

Updated : 2026-02-18 19:36

NVD link : CVE-2026-25633

Mitre link : CVE-2026-25633

CVE.ORG link : CVE-2026-25633

JSON object : View

Products Affected

statamic

statamic

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-25633", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-02-11T21:16:18.910", "references": [{"url": "https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a", "tags": ["Patch", "Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/statamic/cms/releases/tag/v5.73.6", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/statamic/cms/releases/tag/v6.2.5", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5."}, {"lang": "es", "value": "Statamic es un CMS impulsado por Laravel + Git dise\u00f1ado para construir sitios web. Antes de las versiones 5.73.6 y 6.2.5, los usuarios sin permiso para ver activos pueden descargarlos y ver sus metadatos. Los usuarios que no han iniciado sesi\u00f3n y los usuarios sin permiso para acceder al panel de control no pueden aprovecharse de esto. Esto ha sido corregido en las versiones 5.73.6 y 6.2.5."}], "lastModified": "2026-02-18T19:36:44.100", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "88DCC3F4-B944-450D-BE1D-34F2D8ACBE89", "versionEndExcluding": "5.73.6"}, {"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C94BE13-7888-4AB4-ABF0-CCA533C344E6", "versionEndExcluding": "6.2.5", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}