CVE-2026-25633

Description

Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected products

statamic / cms< 5.73.6 – < 5.73.6
statamic / cms>= 6.0.0-alpha.1, < 6.2.5 – >= 6.0.0-alpha.1, < 6.2.5

References

VENDOR_ADVISORYhttps://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h
PATCHhttps://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a
PATCHhttps://github.com/statamic/cms/releases/tag/v5.73.6
PATCHhttps://github.com/statamic/cms/releases/tag/v6.2.5