statamic/cms
php · statamic/cmsHeads-up
statamic/cms: Authenticated users can view unauthorized resource metadata and content
An authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including en
27 Jun 2026 · schedule it
php · statamic/cmsHeads-up
statamic/cms: Glide image proxy SSRF via DNS rebinding
The Glide image proxy's URL validation could be bypassed using DNS rebinding, allowing server-side request forgery to internal add
27 Jun 2026 · schedule it
php · statamic/cmsHeads-up
statamic/cms: CSV export now neutralizes spreadsheet formula characters
Form submission values are now neutralized for spreadsheet formula characters when exported to CSV, preventing formula injection.
27 Jun 2026 · schedule it
php · statamic/cmsHeads-up
statamic/cms Live Preview Authorization Bypass Patched
Live Preview endpoint for existing entries and terms now enforces edit authorization when rendering caller-supplied field values,
27 Jun 2026 · schedule it
php · statamic/cmsCritical
statamic/cms: Incomplete fix for GHSA-4jjr-vmv7-wh4w allows sort parameter manipulation
In-memory collection sorting lacked protection, allowing manipulation of sort parameters to cause loss of content and assets.
27 Jun 2026 · act now