Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. This has been fixed in 5.73.16 and 6.7.2.
Published: 2026-03-27
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect
Action: Apply Patch
AI Analysis

Impact

Statamic CMS contains an unauthenticated redirect vulnerability that enables attackers to cause visitors to be sent to arbitrary external sites. The flaw arises from incorrect validation of URL formats, allowing the bypass of external URL checks. This results in a classic open redirect (CWE‑601) that can be exploited for phishing or click‑jacking without compromising credentials.

Affected Systems

The issue affects Statamic CMS versions earlier than 5.73.16 or 6.7.2. These releases, built on the Laravel framework and Git infrastructure, expose unauthenticated endpoints that process redirect URLs, making any instance of the affected versions susceptible.

Risk and Exploitability

The severity assessment assigns a moderate base score of 6.1. The estimated probability that this flaw will be actively exploited today is below one percent, indicating limited current exploitation. The vulnerability is not part of the known-exploited catalog. Because an attacker only needs to trigger an unauthenticated redirect endpoint, a broad attack surface exists, though the primary threat is social engineering rather than direct system compromise.

Generated by OpenCVE AI on April 8, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Statamic CMS to version 5.73.16 or newer, or 6.7.2 or newer.
  • Back up the site configuration and data before applying the update.
  • Verify after the update that redirect endpoints reject external URLs unless they are explicitly whitelisted.
  • Review and constrain the list of allowed redirect destinations to trusted domains.

Generated by OpenCVE AI on April 8, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7f74-7q5w-hj4r Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential
History

Wed, 08 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Statamic statamic
CPEs cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
Vendors & Products Statamic statamic

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Statamic
Statamic cms
Vendors & Products Statamic
Statamic cms

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. This has been fixed in 5.73.16 and 6.7.2.
Title Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Statamic Cms Statamic
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T14:00:13.275Z

Reserved: 2026-03-24T15:10:05.681Z

Link: CVE-2026-33885

cve-icon Vulnrichment

Updated: 2026-03-31T13:59:56.769Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T21:17:25.337

Modified: 2026-04-08T14:07:18.793

Link: CVE-2026-33885

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:57Z

Weaknesses