CVE-2026-33885 MEDIUM

CVE-2026-33885: Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential

Vendor Statamic

Product cms

Weakness CWE-601 · Open redirect

Published March 27, 2026

Last update March 31, 2026

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. This has been fixed in 5.73.16 and 6.7.2.

Key dates

02Disclosure timeline

March 27, 2026 CVE published

March 31, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-33885 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/601.html

Related vulnerabilities

Identifiers

CVE CVE-2026-33885

CWE CWE-601

CVSS 6.1 / MEDIUM

Affected versions

Vendor Statamic

Product cms

Affected < 5.73.16

Vendor Statamic

Product cms

Affected >= 6.0.0.alpha.1, < 6.7.2

CVE-2026-33885: Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential

01Description

02Disclosure timeline

03References

04Related CVE