Arbitrary HTTP Request Vulnerability in Statamic CMS
CVE-2026-28423

6.8MEDIUM

Key Information:

Vendor

Statamic

Status
Cms
Vendor
CVE Published:
27 February 2026

What is CVE-2026-28423?

Statamic CMS, a content management system built on Laravel, has an arbitrary HTTP request vulnerability that can be exploited by unauthenticated users. When Glide image manipulation is utilized in insecure mode—although this mode is not the default—attackers can manipulate the image proxy to send HTTP requests to arbitrary URLs. This poses a significant risk, as it may allow unauthorized access to internal services or cloud metadata endpoints. Users are advised to upgrade to versions 5.73.11 or 6.4.0, where this vulnerability has been addressed.

Affected Version(s)

cms < 5.73.11 < 5.73.11

cms >= 6.0.0, < 6.4.0 < 6.0.0, 6.4.0

References

https://github.com/statamic/cms/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/statamic/cms/releases/tag/v5.73.11
x_refsource_MISC
https://github.com/statamic/cms/releases/tag/v6.4.0
x_refsource_MISC

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.