CVE-2026-28424 | THREATINT

Description

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 and 6.4.0.

PUBLISHED Reserved 2026-02-27 | Published 2026-02-27 | Updated 2026-02-27 | Assigner GitHub_M

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-862: Missing Authorization

Product status

< 5.73.11

affected

>= 6.0.0, < 6.4.0

affected

References

github.com/...ic/cms/security/advisories/GHSA-w878-f8c6-7r63

github.com/statamic/cms/releases/tag/v5.73.11

github.com/statamic/cms/releases/tag/v6.4.0

cve.org (CVE-2026-28424)

nvd.nist.gov (CVE-2026-28424)

Download JSON