Description
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset. This has been fixed in 6.3.3 and 5.73.10.
Published: 2026-02-24
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover
Action: Patch immediately
AI Analysis

Impact

The vulnerability resides in Statamic's password‑reset feature. An attacker who knows a target user's e‑mail address can obtain the reset token and force a password change, enabling full account takeover without the user's knowledge. The flaw is classified as CWE‑640, reflecting impersonation through compromised credentials.

Affected Systems

Statamic CMS is affected. Versions earlier than 6.3.3 for the latest major release and earlier than 5.73.10 for the legacy release are vulnerable. All deployments of Statamic that have not applied these patches remain at risk.

Risk and Exploitability

The CVSS score of 9.3 signals critical severity. Exploitation probability is currently very low, with an EPSS score below 1 %. The vulnerability is not in the CISA KEV catalog. Exploitation requires the attacker to exploit the exposed password‑reset link; the user must receive and click the unfamiliar link, a classic click‑through scenario. Once the attacker supplies a valid e‑mail address, the reset token is captured and the password is overwritten, giving the attacker full control of the account.

Generated by OpenCVE AI on April 16, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Statamic update to v6.3.3 or v5.73.10 or later to remove the password‑reset flaw.
  • If an update cannot be performed immediately, temporarily disable the password reset endpoint or restrict reset requests to verified users.
  • Implement or enforce multi‑factor authentication for all user accounts to reduce the risk of account takeover if a password is changed.

Generated by OpenCVE AI on April 16, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jxq9-79vj-rgvw Statamic is vulnerable to account takeover via password reset link injection
History

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Statamic statamic
CPEs cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
Vendors & Products Statamic statamic

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Statamic
Statamic cms
Vendors & Products Statamic
Statamic cms

Tue, 24 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset. This has been fixed in 6.3.3 and 5.73.10.
Title Statamic is vulnerable to account takeover via password reset link injection
Weaknesses CWE-640
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Statamic Cms Statamic
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T20:56:07.561Z

Reserved: 2026-02-20T19:43:14.601Z

Link: CVE-2026-27593

cve-icon Vulnrichment

Updated: 2026-02-27T20:56:03.345Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T22:16:32.867

Modified: 2026-02-25T20:27:52.497

Link: CVE-2026-27593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:30:15Z

Weaknesses