DNS Rebinding Vulnerability in Statamic CMS Affecting User-Submitted URLs
CVE-2026-54242

4.9MEDIUM

Key Information:

Vendor

Statamic

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-54242?

Statamic CMS, a content management system utilizing Laravel and Git, is susceptible to a DNS rebinding vulnerability in its Glide image proxy. Prior to versions 5.73.24 and 6.20.1, the URL validation mechanism in Glide could be bypassed, allowing an attacker to manipulate DNS records. This oversight allows for remote hostname validation and potential re-binding to internal server addresses post-validation. Consequently, an attacker could exploit this flaw to initiate HTTP requests to internal resources, including cloud metadata and private network endpoints, particularly affecting installations that handle user-provided URLs. Users are encouraged to upgrade to the latest versions to mitigate this vulnerability.

Affected Version(s)

cms < 5.73.24 < 5.73.24

cms >= 6.0.0, < 6.20.1 < 6.0.0, 6.20.1

References

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.