CVE-2026-28423 MEDIUM

CVE-2026-28423: Statamic Vulnerable to Server-Side Request Forgery via Glide

Vendor Statamic
Product cms
Weakness CWE-918 · SSRF
Published February 27, 2026
Last update March 2, 2026

CVSS base score

6.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0.

Key dates

02Disclosure timeline

February 27, 2026 CVE published
March 2, 2026 Record updated