CVE-2026-28424

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 and 6.4.0.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/statamic/cms/releases/tag/v5.73.11	Release Notes
https://github.com/statamic/cms/releases/tag/v6.4.0	Release Notes
https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:statamic:statamic::::::::
	cpe:2.3:a:statamic:statamic::::::::

History

No history.

Information

Published : 2026-02-27 23:16

Updated : 2026-03-05 14:46

NVD link : CVE-2026-28424

Mitre link : CVE-2026-28424

CVE.ORG link : CVE-2026-28424

JSON object : View

Products Affected

statamic

statamic

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-28424", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-02-27T23:16:05.447", "references": [{"url": "https://github.com/statamic/cms/releases/tag/v5.73.11", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/statamic/cms/releases/tag/v6.4.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype\u2019s data endpoint for control panel users who did not have the \"view users\" permission. This has been fixed in 5.73.11 and 6.4.0."}, {"lang": "es", "value": "Statmatic es un sistema de gesti\u00f3n de contenidos (CMS) impulsado por Laravel y Git. Antes de las versiones 5.73.11 y 6.4.0, las direcciones de correo electr\u00f3nico de los usuarios se inclu\u00edan en las respuestas del endpoint de datos del tipo de campo de usuario para los usuarios del panel de control que no ten\u00edan el permiso de 'ver usuarios'. Esto se ha corregido en las versiones 5.73.11 y 6.4.0."}], "lastModified": "2026-03-05T14:46:10.460", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6AA21E74-C3F2-4275-8DEE-DF4DFBF43788", "versionEndExcluding": "5.73.11"}, {"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6EDD8D-7679-4292-8F49-71B2B3ACEC87", "versionEndExcluding": "6.4.0", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}