{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33886", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:10:05.681Z", "datePublished": "2026-03-27T20:40:22.577Z", "dateUpdated": "2026-03-31T18:54:03.269Z"}, "containers": {"cna": {"title": "Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/statamic/cms/security/advisories/GHSA-gcqf-5x9f-hq7f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-gcqf-5x9f-hq7f"}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"version": ">= 5.73.12, < 5.73.16", "status": "affected"}, {"version": ">= 6.0.0.alpha.1, < 6.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T20:40:22.577Z"}, "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content. This has been fixed in 5.73.16 and 6.7.2."}], "source": {"advisory": "GHSA-gcqf-5x9f-hq7f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T18:50:40.570898Z", "id": "CVE-2026-33886", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:54:03.269Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33886", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T18:50:40.570898Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:50:41.580Z"}}], "cna": {"title": "Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields", "source": {"advisory": "GHSA-gcqf-5x9f-hq7f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"status": "affected", "version": ">= 5.73.12, < 5.73.16"}, {"status": "affected", "version": ">= 6.0.0.alpha.1, < 6.7.2"}]}], "references": [{"url": "https://github.com/statamic/cms/security/advisories/GHSA-gcqf-5x9f-hq7f", "name": "https://github.com/statamic/cms/security/advisories/GHSA-gcqf-5x9f-hq7f", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content. This has been fixed in 5.73.16 and 6.7.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T20:40:22.577Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33886", "state": "PUBLISHED", "dateUpdated": "2026-03-31T18:54:03.269Z", "dateReserved": "2026-03-24T15:10:05.681Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T20:40:22.577Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "92075754-9F2E-48BB-BDC1-633959995B8E", "versionEndExcluding": "5.73.16", "versionStartIncluding": "5.73.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "00951847-F802-497B-AE90-7E9C19A95566", "versionEndExcluding": "6.7.2", "versionStartIncluding": "6.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content. This has been fixed in 5.73.16 and 6.7.2."}], "id": "CVE-2026-33886", "lastModified": "2026-04-08T14:04:00.420", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T21:17:25.490", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-gcqf-5x9f-hq7f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.73.12,5.73.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0.alpha.1,6.7.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "statamic"}, "product": "cms", "vendor": "statamic"}], "analysis": {"en": {"generated_at": "2026-04-08T15:25:11.377626+00:00", "value": {"mitigation_remediation": ["Upgrade Statamic to version\u00a05.73.16 or later", "Upgrade Statamic to version\u00a06.7.2 or later", "If an upgrade is not yet possible, restrict or disable Antlers syntax for content editors to prevent insertion of configuration variables"], "summary": {"action": "Patch immediately", "impact": "Sensitive Configuration Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is Statamic\u00a0CMS. Versions starting from 5.7.12 up to, but not including, 5.73.16, and from 6.7.0 up to, but not including, 6.7.2 are vulnerable. Upstream updates to 5.73.16 and 6.7.2 contain the fix.", "description_and_impact": "The vulnerability allows a control panel user with Antlers\u2011enabled field access to retrieve sensitive application configuration values by inserting configuration variable references into content fields. This leads to leakage of potentially confidential settings such as database credentials, API keys, and other environment variables. The weakness corresponds to improper information disclosure (CWE\u2011200).", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. EPSS is below 1\u202f%, meaning the likelihood of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to have control\u2011panel access to configure Antlers syntax; once authenticated, the attacker can embed configuration variables and read secrets. Because the attack vector is internal to the CMS, it is limited to users with editing permissions, but the impact remains significant if privileged users are compromised."}}}}, "created": "2026-03-29T20:30:02.807012+00:00", "updated": "2026-04-08T20:00:56.144128+00:00", "vendors": ["statamic", "statamic$PRODUCT$cms"]}