Statamic’s Glide image proxy does not normalize URLs before performing a public‑IP check, allowing an unauthenticated attacker to supply a URL that points to an internal address. The server will then make an HTTP request to the target, exposing internal network information or services. This is a classic server‑side request forgery and can lead to information disclosure or further lateral movement within the infrastructure. The flaw is classified with a CVSS score of 5.4, indicating moderate severity.

The vulnerability affects Statamic CMS versions older than 5.73.22 in the 5.x line and older than 6.18.1 in the 6.x line. Sites that render user‑supplied URLs through Glide are susceptible. Those running PHP 8.3 or newer are intrinsically immune because the code path was removed. All other installations of the listed Statamic versions that rely on Glide require remediation.

The CVSS rating of 5.4 reflects moderate potential impact, and the risk is high where external users can supply arbitrary URLs to Glide. Exponential enterprise risk is limited by the fact that the bug is only exploitable if the Glide proxy is exposed to external input. Because the EPSS score is not provided and the vulnerability is not listed in the CISA KEV catalog, there is no current evidence of widespread exploitation. Nonetheless, an attacker could trigger internal probes, potentially unearthing hidden services or credentials, making this a plausible threat vector for reconnaissance or pivoting attacks.