What is CVE-2026-49288?

CVE-2026-49288 is a medium-severity vulnerability in Statamic Cms, classified under Information Disclosure. CVSS score: 4.3/10. Published 2026-06-19.

How severe is CVE-2026-49288?

Medium severity. CVSS v3 base score is 4.3 out of 10.

Auth bypass in Statamic Cms

CVE-2026-49288

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, as…

Vulnerability class: Information Disclosure

CVSS v3 metric

CVSS v3 base score 4.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N.

Affected products

Statamic Cms — versions < 5.73.23, >= 6.0.0, < 6.20.0

Weakness classification (CWE)

CWE-200 — Information Disclosure
CWE-862 — Missing Authorization
CWE-863 — Incorrect Authorization

References

security-advisories@github.com (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-49288?: CVE-2026-49288 is a medium-severity vulnerability in Statamic Cms, classified under Information Disclosure. CVSS score: 4.3/10. Published 2026-06-19.
How severe is CVE-2026-49288?: Medium severity. CVSS v3 base score is 4.3 out of 10.