QwikSec

Security Database

CVE

CWE

Training

CVE-2026-27593

Published: Feb 24, 2026

Modified: Feb 27, 2026

PUBLISHED

CVSS v3.1

9.3

CRITICAL

Description

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset. This has been fixed in 6.3.3 and 5.73.10.

Vendor	Product	Versions
statamic	cms	affected `< 5.73.10` affected `>= 6.0.0-alpha.1, < 6.3.3`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw

x_refsource_CONFIRM

https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e

x_refsource_MISC

https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be

x_refsource_MISC

https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0

x_refsource_MISC

https://github.com/statamic/cms/releases/tag/v5.73.10

x_refsource_MISC

https://github.com/statamic/cms/releases/tag/v6.3.3

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.