{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33882", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:10:05.681Z", "datePublished": "2026-03-27T20:36:31.666Z", "dateUpdated": "2026-03-27T20:36:31.666Z"}, "containers": {"cna": {"title": "Statamic's Markdown preview endpoint exposes sensitive user data", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4"}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"version": "< 5.73.16", "status": "affected"}, {"version": ">= 6.0.0-alpha.1, < 6.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T20:36:31.666Z"}, "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes. This has been fixed in 5.73.16 and 6.7.2."}], "source": {"advisory": "GHSA-cvh3-23vq-w7h4", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes. This has been fixed in 5.73.16 and 6.7.2."}], "id": "CVE-2026-33882", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T21:17:24.860", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.73.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0-alpha.1,6.7.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "statamic"}, "product": "cms", "vendor": "statamic"}], "analysis": {"en": {"generated_at": "2026-03-28T05:59:14.515574+00:00", "value": {"mitigation_remediation": ["Upgrade Statamic CMS to version 5.73.16 or later, or 6.7.2 or later.", "Verify that the markdown preview endpoint no longer returns sensitive payloads after the upgrade.", "If an upgrade cannot be performed immediately, restrict the markdown preview endpoint to administrator users or disable it entirely.", "Review user permissions to ensure only necessary roles have control panel access.", "Keep Statamic updated and monitor official advisories for future patches."], "summary": {"action": "Patch Now", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "Statamic CMS prior to version 5.73.16 and 6.7.2 is affected. Users running Statamic 5.x older than 5.73.16 or Statamic 6.x older than 6.7.2 should be aware that the markdown preview endpoint may expose sensitive user data.", "description_and_impact": "Statamic, a Laravel\u2011based content management system, contains an input validation flaw in its markdown preview endpoint. The endpoint accepts arbitrary field types and returns additional data that was not intended for the preview. When the \u201cusers\u201d field type is used, an authenticated control panel user can retrieve sensitive user information such as email addresses, encrypted passkey data, and encrypted two\u2011factor authentication codes. This vulnerability results in the unintended disclosure of confidential data (CWE\u201120 and CWE\u2011200).", "risk_and_exploitability": "The CVSS base score of 6.5 denotes moderate severity. Exploitation requires a valid control panel account and is limited to users who can access the markdown preview endpoint; no remote code execution or unauthenticated exploit is possible. EPSS data is not available, and the vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Because the flaw permits authenticated users to access private user information, the risk is moderate but warrants prompt remediation."}}}}, "created": "2026-03-29T20:30:07.159422+00:00", "updated": "2026-03-30T07:00:25.756591+00:00", "vendors": ["statamic", "statamic$PRODUCT$cms"]}