CVE-2026-27593HIGH 8.8EPSS p36.3%

CVE-2026-27593CVE-2026-27593

Description

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset. This has been fixed in 6.3.3 and 5.73.10.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.46% probability of exploitation · percentile 36.3% · 2026-06-19T12:03:05Z
Published2026-02-24
Last modified2026-02-25

Underlying weaknesses· 1

CWE-640

References

  1. https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e
  2. https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be
  3. https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0
  4. https://github.com/statamic/cms/releases/tag/v5.73.10
  5. https://github.com/statamic/cms/releases/tag/v6.3.3
  6. https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw

1

TypeTargetConfidenceTier
WeaknessWeak Password Recovery Mechanism for Forgotten Passwordcwe-6400%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-27939
CVE
CVE-2026-25759
CVE
CVE-2025-64112
CVE
CVE-2026-28423
CVE
CVE-2026-28425
CVE
CVE-2026-33172
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.