{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33884", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:10:05.681Z", "datePublished": "2026-03-27T20:38:19.737Z", "dateUpdated": "2026-03-30T15:37:30.499Z"}, "containers": {"cna": {"title": "Statamic's live preview token bypasses content protection for unrelated entries", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2"}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"version": "< 5.73.16", "status": "affected"}, {"version": ">= 6.0.0-alpha.1, < 6.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T20:38:19.737Z"}, "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16 and 6.7.2."}], "source": {"advisory": "GHSA-8vwx-ccf6-5wg2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T15:37:18.877775Z", "id": "CVE-2026-33884", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:37:30.499Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33884", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T15:37:18.877775Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:37:26.298Z"}}], "cna": {"title": "Statamic's live preview token bypasses content protection for unrelated entries", "source": {"advisory": "GHSA-8vwx-ccf6-5wg2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"status": "affected", "version": "< 5.73.16"}, {"status": "affected", "version": ">= 6.0.0-alpha.1, < 6.7.2"}]}], "references": [{"url": "https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2", "name": "https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16 and 6.7.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T20:38:19.737Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33884", "state": "PUBLISHED", "dateUpdated": "2026-03-30T15:37:30.499Z", "dateReserved": "2026-03-24T15:10:05.681Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T20:38:19.737Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16 and 6.7.2."}], "id": "CVE-2026-33884", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T21:17:25.183", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.73.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0-alpha.1,6.7.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "statamic"}, "product": "cms", "vendor": "statamic"}], "analysis": {"en": {"generated_at": "2026-03-28T05:32:47.072398+00:00", "value": {"mitigation_remediation": ["Upgrade Statamic to version 5.73.16 or newer, or 6.7.2 or newer."], "summary": {"action": "Patch Now", "impact": "Unauthorized Data Access"}, "threat_synthesis": {"affected_systems": "Vulnerable versions are Statamic CMS 5 prior to 5.73.16 and 6 prior to 6.7.2. Identified as statamic:cms in the CNA list. No other affected versions are documented.", "description_and_impact": "An authenticated user with access to the Control Panel\u2019s live preview feature can exploit a flaw in Statamic CMS that allows the live preview token to be used to view content entries that are not intended for that token, thereby bypassing entry\u2011level content protection. The vulnerability is a privilege escalation / unauthorized data exposure issue, classified under CWE\u2011863. The impact is that a legitimate user could read restricted content that they should not have access to.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity. No EPSS data is available, and the issue is not listed in the CISA KEV catalog. Exploitation requires a valid authenticated Control Panel session with live\u2011preview permissions, so the attack surface is limited to insiders or compromised credentials. The attack vector is likely internal, through normal use of the live preview function."}}}}, "created": "2026-03-29T20:30:05.268442+00:00", "updated": "2026-03-30T07:00:23.887513+00:00", "vendors": ["statamic", "statamic$PRODUCT$cms"]}