Cyber Resilience

CVE-2026-28423

Medium

Published: 27 February 2026

Published
27 February 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0038 29.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-28423 is a medium-severity SSRF (CWE-918) vulnerability in Statamic Statamic. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-28423 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting Statamic, a Laravel and Git-powered content management system (CMS). The issue resides in the Glide image manipulation component when operated in insecure mode, which is not the default configuration. In versions prior to 5.73.11 and 6.4.0, the image proxy can be abused to force the server to issue HTTP requests to attacker-specified endpoints.

Unauthenticated attackers can exploit this vulnerability remotely by supplying malicious URLs either directly or through the watermark feature in Glide's insecure mode. Successful exploitation enables the attacker to access internal services, cloud metadata endpoints, and other hosts reachable from the compromised server, potentially leading to information disclosure with a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).

The Statamic security advisory (GHSA-cwpp-325q-2cvp) and release notes confirm the vulnerability has been addressed in versions 5.73.11 and 6.4.0. Security practitioners should upgrade to these patched versions and review configurations to ensure Glide is not enabled in insecure mode.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated…

more

user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF in public-facing CMS enables initial access via T1190; directly facilitates querying cloud metadata endpoints for discovery (T1522) and credential theft (T1552.005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28425Same product: Statamic Statamic
CVE-2026-25759Same product: Statamic Statamic
CVE-2026-41175Same product: Statamic Statamic
CVE-2026-27593Same product: Statamic Statamic
CVE-2026-28426Same product: Statamic Statamic
CVE-2026-33172Same product: Statamic Statamic
CVE-2026-27196Same product: Statamic Statamic
CVE-2026-27939Same product: Statamic Statamic
CVE-2026-33039Shared CWE-918
CVE-2026-33351Shared CWE-918

Affected Assets

statamic
statamic
≤ 5.73.11 · 6.0.0 — 6.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved information flows so the server cannot be tricked into issuing HTTP requests to arbitrary internal or external endpoints via the Glide proxy.

prevent

Boundary-protection rules can deny or proxy outbound connections from the CMS to internal services and cloud metadata endpoints that the SSRF vector targets.

prevent

Requires prompt application of the vendor patches (5.73.11 / 6.4.0) that close the insecure Glide proxy path described in the CVE.

References