CVE-2026-27939

Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the user’s existing permissions, may lead to privilege escalation. This has been fixed in 6.4.0.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3a	Patch
https://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-27 22:16

Updated : 2026-03-10 15:20

NVD link : CVE-2026-27939

Mitre link : CVE-2026-27939

CVE.ORG link : CVE-2026-27939

JSON object : View

Products Affected

statamic

statamic

CWE

CWE-287

Improper Authentication

NVD-CWE-noinfo

{"id": "CVE-2026-27939", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-02-27T22:16:22.993", "references": [{"url": "https://github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3a", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the user\u2019s existing permissions, may lead to privilege escalation. This has been fixed in 6.4.0."}, {"lang": "es", "value": "Statmatic es un sistema de gesti\u00f3n de contenido (CMS) impulsado por Laravel y Git. A partir de la versi\u00f3n 6.0.0 y antes de la versi\u00f3n 6.4.0, los usuarios autenticados del Panel de Control pueden, bajo ciertas condiciones, obtener privilegios elevados sin completar el paso de verificaci\u00f3n previsto. Esto puede permitir el acceso a operaciones sensibles y, dependiendo de los permisos existentes del usuario, puede conducir a la escalada de privilegios. Esto ha sido corregido en la versi\u00f3n 6.4.0."}], "lastModified": "2026-03-10T15:20:19.057", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6EDD8D-7679-4292-8F49-71B2B3ACEC87", "versionEndExcluding": "6.4.0", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}