Description
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0.
Published: 2026-02-27
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Immediate Patch
AI Analysis

Impact

Statamic is a Laravel‑based CMS that allows unauthenticated users to exploit the Glide image manipulation component when it is configured in insecure mode. By supplying a crafted image URL or using the watermark feature, the server will request that URL on the attacker’s behalf. The vulnerability can be used to reach and read internal network services, cloud‑metadata endpoints, or any host that the web server can connect to, thereby exposing sensitive internal information and potentially enabling further attacks. This is a classic SSRF flaw that threatens confidentiality of internal resources.

Affected Systems

Any Statamic CMS installation running a version older than 5.73.11 or 6.4.0 that has enabled Glide’s insecure mode is affected. The vulnerability is not present in newer versions where the insecure mode is disabled by default.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate to high severity, but the EPSS score of less than 1% suggests that real‑world exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. Attackers do not require authentication; a simple crafted request to a vulnerable image URL is sufficient to trigger SSRF, providing an easy attack vector that can reach private internal networks.

Generated by OpenCVE AI on April 16, 2026 at 15:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Statamic to version 5.73.11 or 6.4.0, the first release that patches the Glide insecure‑mode flaw.
  • If upgrading immediately is not feasible, disable Glide’s insecure mode or revert to the default safe configuration to prevent automated outbound requests from the CMS.
  • Apply network‑level outbound filtering to block HTTP requests from the web server to private internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata endpoint URLs.

Generated by OpenCVE AI on April 16, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cwpp-325q-2cvp Statamic Vulnerable to Server-Side Request Forgery via Glide
History

Thu, 05 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Statamic statamic
CPEs cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
Vendors & Products Statamic statamic

Mon, 02 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Statamic
Statamic cms
Vendors & Products Statamic
Statamic cms

Fri, 27 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0.
Title Statamic Vulnerable to Server-Side Request Forgery via Glide
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Statamic Cms Statamic
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T21:48:43.597Z

Reserved: 2026-02-27T15:54:05.136Z

Link: CVE-2026-28423

cve-icon Vulnrichment

Updated: 2026-03-02T21:48:37.669Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T23:16:05.283

Modified: 2026-03-05T14:47:10.260

Link: CVE-2026-28423

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:15:39Z

Weaknesses