CVE-2026-33882 - Vulnerability Details

- Statamic's Markdown preview endpoint exposes sensitive user data

Description

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes. This has been fixed in 5.73.16 and 6.7.2.

Published: 2026-03-27

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Statamic’s markdown preview endpoint allows an attacker who is authenticated to the control panel to manipulate the request and receive data from arbitrary fieldtypes. The users fieldtype can expose email addresses, encrypted passkey data and encrypted two‑factor authentication codes. This vulnerability enables disclosure of sensitive user information, constituting an information‑exposure flaw.

Affected Systems

Statamic CMS versions earlier than 5.73.16 and 6.7.2 are affected. The flaw exists in the markdown preview endpoint that is part of the core CMS, and it is exploitable by any user with control‑panel access.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating moderate severity. The EPSS rating is below 1 %, showing a low probability that it is currently being exploited in the wild. It is also not listed in CISA’s KEV catalog, confirming that no known exploits are active. The attack vector is likely an authenticated user within the CMS control panel; therefore accidental exposure requires legitimate credentials, but if an attacker gains such access, they can immediately pull user data from the preview endpoint without any further privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

statamic

cms

affected

Version	Status	Constraints
`< 5.73.16`	affected	—
`>= 6.0.0-alpha.1, < 6.7.2`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:statamic:statamic::::::::
	cpe:2.3:a:statamic:statamic::::::::

No data.

Vendor Product Confidence Versions

Statamic

Cms

100%

Version	Status	Scheme	Platform
`[0,5.73.16)`	affected	semver	—
`[6.0.0-alpha.1,6.7.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Statamic CMS to version 5.73.16 or later, or 6.7.2 or later
Verify that the markdown preview endpoint no longer returns user data after the update

Generated by OpenCVE AI on April 8, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-cvh3-23vq-w7h4	Statamic's Markdown preview endpoint exposes sensitive user data

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00072.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4

History

Wed, 08 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Statamic statamic
CPEs		cpe:2.3:a:statamic:statamic::::::::
Vendors & Products		Statamic statamic

Tue, 31 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 30 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Statamic Statamic cms
Vendors & Products		Statamic Statamic cms

Sat, 28 Mar 2026 03:15:00 +0000

Type	Values Removed	Values Added
Description		Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes. This has been fixed in 5.73.16 and 6.7.2.
Title		Statamic's Markdown preview endpoint exposes sensitive user data
Weaknesses		CWE-20 CWE-200
References		https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Statamic Cms Statamic

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-27T20:36:31.666Z

Updated: 2026-03-31T18:54:08.799Z

Reserved: 2026-03-24T15:10:05.681Z

Link: CVE-2026-33882

Vulnrichment

Updated: 2026-03-31T18:50:43.597Z

NVD

Status : Analyzed

Published: 2026-03-27T21:17:24.860

Modified: 2026-04-08T14:27:34.913

Link: CVE-2026-33882

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-08T20:01:00Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object