{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33885", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:10:05.681Z", "datePublished": "2026-03-27T20:39:17.726Z", "dateUpdated": "2026-03-31T14:00:13.275Z"}, "containers": {"cna": {"title": "Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r"}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"version": "< 5.73.16", "status": "affected"}, {"version": ">= 6.0.0.alpha.1, < 6.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T20:39:17.726Z"}, "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. This has been fixed in 5.73.16 and 6.7.2."}], "source": {"advisory": "GHSA-7f74-7q5w-hj4r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T13:59:41.811277Z", "id": "CVE-2026-33885", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:00:13.275Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33885", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T13:59:41.811277Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:59:56.769Z"}}], "cna": {"title": "Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential", "source": {"advisory": "GHSA-7f74-7q5w-hj4r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"status": "affected", "version": "< 5.73.16"}, {"status": "affected", "version": ">= 6.0.0.alpha.1, < 6.7.2"}]}], "references": [{"url": "https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r", "name": "https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. This has been fixed in 5.73.16 and 6.7.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T20:39:17.726Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33885", "state": "PUBLISHED", "dateUpdated": "2026-03-31T14:00:13.275Z", "dateReserved": "2026-03-24T15:10:05.681Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T20:39:17.726Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. This has been fixed in 5.73.16 and 6.7.2."}], "id": "CVE-2026-33885", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T21:17:25.337", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.73.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0.alpha.1,6.7.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "statamic"}, "product": "cms", "vendor": "statamic"}], "analysis": {"en": {"generated_at": "2026-03-28T05:59:00.548741+00:00", "value": {"mitigation_remediation": ["Apply the latest Statamic CMS release (5.73.16 or newer, 6.7.2 or newer).", "If an upgrade cannot be performed immediately, enforce strict redirect validation so that only internal URLs are accepted after form submissions or authentication steps."], "summary": {"action": "Patch Immediately", "impact": "Open Redirect"}, "threat_synthesis": {"affected_systems": "All deployments running Statamic CMS versions prior to 5.73.16 and 6.7.2 are affected. The bug lies in the redirect\u2011validation logic applied to unauthenticated endpoints, including form handling and login redirects. The affected builds use the default URL parsing behavior present in those releases.", "description_and_impact": "Statamic, a Laravel- and Git\u2011powered CMS, contains a flaw that allows an attacker to craft URLs that bypass the external URL check used for redirect validation on unauthenticated endpoints. The vulnerability results in users being sent to arbitrary external sites after actions such as form submissions or authentication flows. This can facilitate phishing, malware delivery, and other social\u2011engineering attacks. The weakness is enumerated as CWE\u2011601.", "risk_and_exploitability": "The CVSS score of 6.1 reflects moderate severity. EPSS data is not provided, and the issue is not registered in the CISA KEV catalog, indicating limited known exploitation. The attack vector is inferred to be via crafted requests to unauthenticated endpoints, meaning remote attackers can exploit it by simply directing a user to a malicious link or form. Because the exploit does not require privileged access, the potential for widespread phishing remains significant for exposed sites."}}}}, "created": "2026-03-29T20:30:03.811364+00:00", "updated": "2026-03-30T07:00:22.945905+00:00", "vendors": ["statamic", "statamic$PRODUCT$cms"]}