Statamic’s Markdown preview endpoint exposes sensitive user data_CVE-2026-33882

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes. This has been fixed in 5.73.16 and 6.7.2.

Basic Information

ID CVE-2026-33882

Source GitHub_M

Published Mar 27, 2026 at 20:36

Modified Mar 31, 2026 at 18:54

Affected Product

Vendor statamic

Product cms

Version < 5.73.16

Affected Versions statamic cms < 5.73.16
statamic cms >= 6.0.0-alpha.1, < 6.7.2

CWE Classification

CWE-20 CWE-200

References

github.com /statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4

{
    "lastseen": "",
    "description": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes. This has been fixed in 5.73.16 and 6.7.2.",
    "published": "2026-03-27T20:36:31.666Z",
    "modified": "2026-03-31T18:54:08.799Z",
    "type": "cve",
    "title": "Statamic's Markdown preview endpoint exposes sensitive user data",
    "source": "GitHub_M",
    "references": "https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4",
    "id": "CVE-2026-33882",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20",
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "statamic cms < 5.73.16\nstatamic cms >= 6.0.0-alpha.1, < 6.7.2",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cms",
    "version": "< 5.73.16",
    "vendor": "statamic",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}