What is CVE-2026-27593?

CVE-2026-27593 is a critical-severity vulnerability in Statamic Cms, classified under Weak Password Recovery Mechanism for Forgotten Password. CVSS score: 9.3/10. Published 2026-02-24.

How severe is CVE-2026-27593?

Critical severity. CVSS v3 base score is 9.3 out of 10.

Vulnerability in Statamic Cms

CVE-2026-27593

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their b…

EPSS: 0.000 (4.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.3 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N.

Affected products

Statamic Cms — versions < 5.73.10, >= 6.0.0-alpha.1, < 6.3.3

Weakness classification (CWE)

CWE-640 — Weak Password Recovery Mechanism for Forgotten Password

References

https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw (x_refsource_CONFIRM)
https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e (x_refsource_MISC)
https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be (x_refsource_MISC)
https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0 (x_refsource_MISC)
https://github.com/statamic/cms/releases/tag/v5.73.10 (x_refsource_MISC)
https://github.com/statamic/cms/releases/tag/v6.3.3 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-27593?: CVE-2026-27593 is a critical-severity vulnerability in Statamic Cms, classified under Weak Password Recovery Mechanism for Forgotten Password. CVSS score: 9.3/10. Published 2026-02-24.
How severe is CVE-2026-27593?: Critical severity. CVSS v3 base score is 9.3 out of 10.