CVE-2026-28423
Published: 27 February 2026
Summary
CVE-2026-28423 is a medium-severity SSRF (CWE-918) vulnerability in Statamic Statamic. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing CMS enables initial access via T1190; directly facilitates querying cloud metadata endpoints for discovery (T1522) and credential theft (T1552.005).
NVD Description
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated…
more
user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0.
Deeper analysisAI
CVE-2026-28423 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting Statamic, a Laravel and Git-powered content management system (CMS). The issue resides in the Glide image manipulation component when operated in insecure mode, which is not the default configuration. In versions prior to 5.73.11 and 6.4.0, the image proxy can be abused to force the server to issue HTTP requests to attacker-specified endpoints.
Unauthenticated attackers can exploit this vulnerability remotely by supplying malicious URLs either directly or through the watermark feature in Glide's insecure mode. Successful exploitation enables the attacker to access internal services, cloud metadata endpoints, and other hosts reachable from the compromised server, potentially leading to information disclosure with a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).
The Statamic security advisory (GHSA-cwpp-325q-2cvp) and release notes confirm the vulnerability has been addressed in versions 5.73.11 and 6.4.0. Security practitioners should upgrade to these patched versions and review configurations to ensure Glide is not enabled in insecure mode.
Details
- CWE(s)