CVE-2026-33887

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data. Users could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content. This has been fixed in 5.73.16 and 6.7.2.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:statamic:statamic::::::::
	cpe:2.3:a:statamic:statamic::::::::

History

08 Apr 2026, 13:54

Type	Values Removed	Values Added
References	~~() https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q -~~	() https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q - Vendor Advisory
CPE		cpe:2.3:a:statamic:statamic::::::::
First Time		Statamic statamic Statamic

27 Mar 2026, 21:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-27 21:17

Updated : 2026-04-08 13:54

NVD link : CVE-2026-33887

Mitre link : CVE-2026-33887

CVE.ORG link : CVE-2026-33887

JSON object : View

Products Affected

statamic

statamic

CWE

CWE-862

Missing Authorization

5.4 /10