CVE-2026-33883 MEDIUM

CVE-2026-33883: Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag

Vendor Statamic
Product cms
Weakness CWE-79 · XSS
Published March 27, 2026
Last update March 30, 2026
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the `user:reset_password_form` tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser. This has been fixed in 5.73.16 and 6.7.2.

Key dates

02Disclosure timeline

March 27, 2026 CVE published
March 30, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-11678 CodeAstro Hospital Management System his_doc_register_patient.php cross site scripting CVE-2025-68501 WordPress Mollie Payments for WooCommerce plugin <= 8.1.1 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2026-6735 XSS within PHP-FPM status endpoint CVE-2025-54051 WordPress LightBox Block plugin <= 1.1.30 - Cross Site Scripting (XSS) Vulnerability CVE-2025-59565 WordPress Upsell Order Bump Offer for WooCommerce Plugin <= 3.0.7 - Cross Site Scripting (XSS) Vulnerability