QwikSec

Security Database

CVE

CWE

Training

CVE-2026-25633

Published: Feb 11, 2026

Modified: Feb 12, 2026

PUBLISHED

CVSS v3.1

4.3

MEDIUM

Description

Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5.

Vendor	Product	Versions
statamic	cms	affected `< 5.73.6` affected `>= 6.0.0-alpha.1, < 6.2.5`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h

x_refsource_CONFIRM

https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a

x_refsource_MISC

https://github.com/statamic/cms/releases/tag/v5.73.6

x_refsource_MISC

https://github.com/statamic/cms/releases/tag/v6.2.5

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.