Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the `user:reset_password_form` tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser. This has been fixed in 5.73.16 and 6.7.2.
Published: 2026-03-27
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

Statamic CMS allows an attacker to inject arbitrary JavaScript by exploiting an unescaped redirect parameter in the user:reset_password_form tag. This reflected XSS flaw can execute malicious code in the victim’s browser when the reset password form is accessed. The weakness is classified under CWE‑79, indicating insufficient output encoding.

Affected Systems

Statamic CMS, versions before 5.73.16 and 6.7.2, is affected. Administrators should verify that their installations run one of these unpatched releases.

Risk and Exploitability

The CVSS score of 6.1 indicates medium severity, while an EPSS score of less than 1% suggests a low likelihood of widespread exploitation at present. It is inferred that an attacker only needs to compose a malicious URL containing the unescaped redirect parameter and persuade users to click it; no authentication is required. The vulnerability is not listed in the CISA KEV catalog, implying no known active exploitation.

Generated by OpenCVE AI on April 8, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify your Statamic installation version; if it is older than 5.73.16 or 6.7.2, apply the security update immediately.
  • Test the update in a staging environment before deploying to production to ensure compatibility.

Generated by OpenCVE AI on April 8, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3jg4-p23x-p4qx Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag
History

Wed, 08 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Statamic statamic
CPEs cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
Vendors & Products Statamic statamic

Tue, 31 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Statamic
Statamic cms
Vendors & Products Statamic
Statamic cms

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the `user:reset_password_form` tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser. This has been fixed in 5.73.16 and 6.7.2.
Title Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Statamic Cms Statamic
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T18:56:50.916Z

Reserved: 2026-03-24T15:10:05.681Z

Link: CVE-2026-33883

cve-icon Vulnrichment

Updated: 2026-03-30T18:56:47.454Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T21:17:25.027

Modified: 2026-04-08T14:23:30.960

Link: CVE-2026-33883

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:59Z

Weaknesses