CVE-2026-33885

Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential

Description

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. This has been fixed in 5.73.16 and 6.7.2.

INFO

Published Date :

2026-03-27T20:39:17.726Z

Last Modified :

2026-03-27T20:39:17.726Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-33885 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33885.

URL	Resource
https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact