CVE-2026-27593 CRITICAL

CVE-2026-27593: Statamic is vulnerable to account takeover via password reset link injection

Vendor Statamic

Product cms

Weakness CWE-640 · Weak password recovery

Published February 24, 2026

Last update February 27, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset. This has been fixed in 6.3.3 and 5.73.10.

Key dates

02Disclosure timeline

February 24, 2026 CVE published

February 27, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-27593 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/640.html

Related vulnerabilities

Identifiers

CVE CVE-2026-27593

CWE CWE-640

CVSS 9.3 / CRITICAL

Affected versions

Vendor Statamic

Product cms

Affected < 5.73.10

Vendor Statamic

Product cms

Affected >= 6.0.0-alpha.1, < 6.3.3

CVE-2026-27593: Statamic is vulnerable to account takeover via password reset link injection

01Description

02Disclosure timeline

03References

04Related CVE