SSRF in Statamic Cms
CVE-2026-45660
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.22 and 6.18.1, the Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An u…
Vulnerability class: SSRF (Server-Side Request Forgery)
EPSS: 0.000 (13.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.4 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N.
Affected products
- Statamic Cms — versions < 5.73.22, >= 6.0.0-alpha.1, < 6.18.1
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)
Frequently asked questions
- What is CVE-2026-45660?
- CVE-2026-45660 is a medium-severity vulnerability in Statamic Cms, classified under Server-Side Request Forgery (SSRF). CVSS score: 5.4/10. Published 2026-05-29.
- How severe is CVE-2026-45660?
- Medium severity. CVSS v3 base score is 5.4 out of 10.