← Zuruck zu CVEs
CVE-2026-28423
MEDIUM6.8
Beschreibung
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0.
CVE Details
CVSS v3.1 Bewertung6.8
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
AngriffsvektorNETWORK
KomplexitatHIGH
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht2/27/2026
Zuletzt geandert3/5/2026
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
statamic:statamic
Schwachen (CWE)
CWE-918
Referenzen
https://github.com/statamic/cms/releases/tag/v5.73.11(security-advisories@github.com)
https://github.com/statamic/cms/releases/tag/v6.4.0(security-advisories@github.com)
https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp(security-advisories@github.com)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.