CVE-2026-28423HIGH 8.6EPSS p29.5%

CVE-2026-28423CVE-2026-28423

Description

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0.

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS0.38% probability of exploitation · percentile 29.5% · 2026-06-19T12:03:05Z
Published2026-02-27
Last modified2026-03-05

Underlying weaknesses· 1

CWE-918

References

  1. https://github.com/statamic/cms/releases/tag/v5.73.11
  2. https://github.com/statamic/cms/releases/tag/v6.4.0
  3. https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp

1

TypeTargetConfidenceTier
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-45660
CVE
CVE-2025-64112
CVE
CVE-2026-28425
CVE
CVE-2026-27593
CVE
CVE-2026-25759
CVE
CVE-2026-27939
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.