CVE-2026-27939

Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the user’s existing permissions, may lead to privilege escalation. This has been fixed in 6.4.0.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3a	Patch
https://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*

History

10 Mar 2026, 15:20

Type	Values Removed	Values Added
First Time		Statamic statamic Statamic
CPE		cpe:2.3:a:statamic:statamic::::::::
CWE		NVD-CWE-noinfo
References	~~() https://github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3a -~~	() https://github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3a - Patch
References	~~() https://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789 -~~	() https://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789 - Vendor Advisory
Summary		(es) Statmatic es un sistema de gestión de contenido (CMS) impulsado por Laravel y Git. A partir de la versión 6.0.0 y antes de la versión 6.4.0, los usuarios autenticados del Panel de Control pueden, bajo ciertas condiciones, obtener privilegios elevados sin completar el paso de verificación previsto. Esto puede permitir el acceso a operaciones sensibles y, dependiendo de los permisos existentes del usuario, puede conducir a la escalada de privilegios. Esto ha sido corregido en la versión 6.4.0.

27 Feb 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-27 22:16

Updated : 2026-03-10 15:20

NVD link : CVE-2026-27939

Mitre link : CVE-2026-27939

CVE.ORG link : CVE-2026-27939

JSON object : View

Products Affected

statamic

statamic

CWE

CWE-287

Improper Authentication

NVD-CWE-noinfo

8.8 /10