Detections
Analytics

SCA: security update for statamic/cms (GHSA-2497-6pwj-pwg7)

medium Tenable Self-Hosted Container Security Plugin ID 444056

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an
 authenticated Control Panel user could view metadata and content for resources they don't have permission
 to view, including entries, assets, users, roles, groups, and other configured resources. Depending on the
 resource, this could expose titles, custom field values, entry content, asset metadata, and the existence
 of users, roles, and groups. No data could be modified. This has been fixed in 5.73.23 and 6.20.0.
 (CVE-2026-49288)

Solution

Update the statamic/cms library and its related packages to version 5.73.23 or later.

See Also

https://github.com/advisories/GHSA-2497-6pwj-pwg7

Plugin Details

Severity: Medium

ID: 444056

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 6/27/2026

Updated: 6/27/2026

Risk Information

VPR

Risk Factor: Low

Score: 2.9

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2026-49288

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/26/2026

Vulnerability Publication Date: 6/19/2026

Reference Information

CVE: CVE-2026-49288