Password Reset Vulnerability in Statamic CMS by Statamic
CVE-2026-27593
What is CVE-2026-27593?
CVE-2026-27593 is a vulnerability found in Statamic CMS, a content management system that utilizes Laravel and Git technologies for efficient website management. This specific vulnerability resides in the password reset feature of Statamic and affects versions prior to 6.3.3 and 5.73.10. An attacker can exploit this flaw by capturing a user's password reset token, enabling them to reset the password of a valid user account. To execute this attack, the attacker needs to know the email address associated with the target account and must rely on the victim to interact with a malicious link, usually sent through email. This could lead to unauthorized access to sensitive information, manipulation of website content, and ultimately, compromise of the user's account.
Potential impact of CVE-2026-27593
-
Unauthorized Account Access: The vulnerability allows attackers to gain access to legitimate user accounts, which can lead to unauthorized actions such as data manipulation, content alterations, or even complete account takeover.
-
Data Breach Risks: With successful exploitation, attackers may access sensitive data associated with user accounts, including personal information, which heightens the risk of data breaches and can have legal and reputational consequences for affected organizations.
-
Website Integrity Compromise: By taking control of user accounts, attackers could manipulate the content displayed on the website, potentially leading to misinformation, brand damage, and loss of user trust.
Affected Version(s)
cms < 5.73.10 < 5.73.10
cms >= 6.0.0-alpha.1, < 6.3.3 < 6.0.0-alpha.1, 6.3.3