{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-22T19:28:00.267","vulnerabilities":[{"cve":{"id":"CVE-2026-28425","sourceIdentifier":"security-advisories@github.com","published":"2026-02-27T23:16:05.607","lastModified":"2026-03-25T21:16:39.127","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.16 and 6.7.2. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version."},{"lang":"es","value":"Statmatic es un sistema de gestión de contenido (CMS) impulsado por Laravel y Git. Antes de las versiones 5.73.11 y 6.4.0, un usuario autenticado del panel de control con acceso a entradas habilitadas para Antlers podría lograr ejecución remota de código en el contexto de la aplicación. Eso puede llevar a un compromiso total de la aplicación, incluyendo acceso a configuración sensible, modificación o exfiltración de datos, y potencial impacto en la disponibilidad. La explotación solo es posible donde Antlers se ejecuta en contenido controlado por el usuario—por ejemplo, campos de contenido con Antlers explícitamente habilitado (requiriendo permiso para configurar campos y editar entradas), configuración incorporada que soporta Antlers como la configuración de notificación por correo electrónico de Formularios (requiriendo permiso de configuración), o complementos de terceros que añaden campos habilitados para Antlers a las entradas (por ejemplo, el complemento SEO Pro). En cada caso, el atacante debe tener los permisos relevantes del panel de control. Esto ha sido corregido en 5.73.11 y 6.4.0. Los usuarios de complementos que dependen de Statamic deben asegurarse de que después de actualizar están ejecutando una versión de Statamic parcheada."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","baseScore":8.0,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.1,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-94"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*","versionEndExcluding":"5.73.11","matchCriteriaId":"6AA21E74-C3F2-4275-8DEE-DF4DFBF43788"},{"vulnerable":true,"criteria":"cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.4.0","matchCriteriaId":"FA6EDD8D-7679-4292-8F49-71B2B3ACEC87"}]}]}],"references":[{"url":"https://github.com/statamic/cms/releases/tag/v5.73.11","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/statamic/cms/releases/tag/v6.4.0","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw","source":"security-advisories@github.com","tags":["Patch","Vendor Advisory"]}]}}]}