CVE-2026-27593 (GCVE-0-2026-27593)
Vulnerability from cvelistv5
Published
2026-02-24 21:38
Modified
2026-02-27 20:56
Severity ?
9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CWE
  • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Summary
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset. This has been fixed in 6.3.3 and 5.73.10.
References
Impacted products
Vendor Product Version
statamic cms Version: < 5.73.10
Version: >= 6.0.0-alpha.1, < 6.3.3
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27593",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-27T20:55:56.535981Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-27T20:56:07.561Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cms",
          "vendor": "statamic",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.73.10"
            },
            {
              "status": "affected",
              "version": "\u003e= 6.0.0-alpha.1, \u003c 6.3.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user\u0027s token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn\u0027t request the reset. This has been fixed in 6.3.3 and 5.73.10."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-24T21:38:17.354Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw"
        },
        {
          "name": "https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e"
        },
        {
          "name": "https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be"
        },
        {
          "name": "https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0"
        },
        {
          "name": "https://github.com/statamic/cms/releases/tag/v5.73.10",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/statamic/cms/releases/tag/v5.73.10"
        },
        {
          "name": "https://github.com/statamic/cms/releases/tag/v6.3.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/statamic/cms/releases/tag/v6.3.3"
        }
      ],
      "source": {
        "advisory": "GHSA-jxq9-79vj-rgvw",
        "discovery": "UNKNOWN"
      },
      "title": "Statamic is vulnerable to account takeover via password reset link injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27593",
    "datePublished": "2026-02-24T21:38:17.354Z",
    "dateReserved": "2026-02-20T19:43:14.601Z",
    "dateUpdated": "2026-02-27T20:56:07.561Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27593\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-27T20:55:56.535981Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-27T20:56:03.345Z\"}}], \"cna\": {\"title\": \"Statamic is vulnerable to account takeover via password reset link injection\", \"source\": {\"advisory\": \"GHSA-jxq9-79vj-rgvw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"statamic\", \"product\": \"cms\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 5.73.10\"}, {\"status\": \"affected\", \"version\": \"\u003e= 6.0.0-alpha.1, \u003c 6.3.3\"}]}], \"references\": [{\"url\": \"https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw\", \"name\": \"https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e\", \"name\": \"https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be\", \"name\": \"https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0\", \"name\": \"https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/statamic/cms/releases/tag/v5.73.10\", \"name\": \"https://github.com/statamic/cms/releases/tag/v5.73.10\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/statamic/cms/releases/tag/v6.3.3\", \"name\": \"https://github.com/statamic/cms/releases/tag/v6.3.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user\u0027s token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn\u0027t request the reset. This has been fixed in 6.3.3 and 5.73.10.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-640\", \"description\": \"CWE-640: Weak Password Recovery Mechanism for Forgotten Password\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-24T21:38:17.354Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-27593\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-27T20:56:07.561Z\", \"dateReserved\": \"2026-02-20T19:43:14.601Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-24T21:38:17.354Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.