CVE-2026-27939

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-27939

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27939.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-27939

Aliases

GHSA-rw9x-pxqx-q789

Published

2026-02-27T21:34:39.107Z

Modified

2026-03-03T02:56:49.834299Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass

Details

Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the user’s existing permissions, may lead to privilege escalation. This has been fixed in 6.4.0.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27939.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-287"
    ]
}

References

Affected packages

Git / github.com/statamic/cms

Affected ranges

Type: GIT
Repo: https://github.com/statamic/cms
Events: Introduced

d1bb31cfa1191226cee2a2d1e17aa4c25541e568

Fixed

0d0c2ede3a6478726e0429a124569d4265360be7

Affected versions

v5.*

v5.73.10

v5.73.3

v5.73.4

v5.73.5

v5.73.6

v5.73.7

v5.73.8

v5.73.9

v6.*

v6.0.0

v6.1.0

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.2.4

v6.2.5

v6.3.0

v6.3.1

v6.3.2

v6.3.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27939.json"