CVE-2026-33883

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33883

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33883.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33883

Aliases

GHSA-3jg4-p23x-p4qx

Published

2026-03-27T20:37:21.190Z

Modified

2026-04-10T05:42:57.572753Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag

Details

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the user:reset_password_form tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser. This has been fixed in 5.73.16 and 6.7.2.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33883.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/statamic/cms

Affected ranges

Type

GIT

Repo

https://github.com/statamic/cms

Events

Introduced

Fixed

291a660355d8a20a8c49537dcc92bab2ba7e6eb1

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.73.16"
        }
    ]
}

Type

GIT

Repo

https://github.com/statamic/cms

Events

Introduced

1025dbc537fdb606c73209ab54d865b345d241d4

Fixed

0b45b8a5c1537e83a4252d3f7681f2e9572653b0

Database specific

{
    "versions": [
        {
            "introduced": "6.0.0-alpha.1"
        },
        {
            "fixed": "6.7.2"
        }
    ]
}

Affected versions

v3.*

v3.0.0

v3.0.0-beta.15

v3.0.0-beta.16

v3.0.0-beta.17

v3.0.0-beta.25

v3.0.0-beta.26

v3.0.0-beta.27

v3.0.0-beta.28

v3.0.0-beta.29

v3.0.0-beta.30

v3.0.0-beta.31

v3.0.0-beta.32

v3.0.0-beta.33

v3.0.0-beta.34

v3.0.0-beta.35

v3.0.0-beta.36

v3.0.0-beta.37

v3.0.0-beta.38

v3.0.0-beta.39

v3.0.0-beta.40

v3.0.0-beta.41

v3.0.0-beta.42

v3.0.0-beta.43

v3.0.0-beta.44

v3.0.0-beta.45

v3.0.0-beta.46

v3.0.1

v3.0.10

v3.0.11

v3.0.12

v3.0.13

v3.0.14

v3.0.15

v3.0.16

v3.0.17

v3.0.18

v3.0.19

v3.0.2

v3.0.20

v3.0.21

v3.0.22

v3.0.23

v3.0.24

v3.0.25

v3.0.26

v3.0.27

v3.0.28

v3.0.29

v3.0.3

v3.0.30

v3.0.31

v3.0.32

v3.0.33

v3.0.34

v3.0.35

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

v3.1.0

v3.1.0-alpha.1

v3.1.0-alpha.2

v3.1.0-alpha.3

v3.1.0-alpha.4

v3.1.0-beta.1

v3.1.0-beta.2

v3.1.0-beta.3

v3.2.0

v3.2.0-beta.1

v3.2.1

v3.2.10

v3.2.11

v3.2.12

v3.2.13

v3.2.14

v3.2.15

v3.2.16

v3.2.17

v3.2.18

v3.2.19

v3.2.2

v3.2.20

v3.2.21

v3.2.22

v3.2.23

v3.2.24

v3.2.25

v3.2.26

v3.2.27

v3.2.28

v3.2.29

v3.2.3

v3.2.30

v3.2.4

v3.2.5

v3.2.6

v3.2.7

v3.2.8

v3.2.9

v3.3.0

v3.3.0-beta.1

v3.3.0-beta.2

v3.3.0-beta.3

v3.3.0-beta.4

v3.3.0-beta.5

v3.3.0-beta.6

v3.3.0-beta.7

v3.3.1

v3.3.10

v3.3.11

v3.3.12

v3.3.13

v3.3.14

v3.3.15

v3.3.16

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.8

v3.3.9

v3.4.0

v3.4.1

v3.4.2

v4.*

v4.0.0

v4.0.0-alpha.1

v4.0.0-alpha.2

v4.0.0-alpha.3

v4.0.0-alpha.4

v4.0.0-alpha.5

v4.0.0-beta.1

v4.0.0-beta.2

v4.0.0-beta.3

v4.0.0-beta.4

v4.1.0

v4.1.1

v4.1.2

v4.1.3

v4.10.0

v4.10.1

v4.10.2

v4.11.0

v4.12.0

v4.13.0

v4.13.1

v4.13.2

v4.14.0

v4.15.0

v4.16.0

v4.17.0

v4.18.0

v4.19.0

v4.2.0

v4.20.0

v4.21.0

v4.22.0

v4.23.0

v4.23.1

v4.23.2

v4.24.0

v4.25.0

v4.26.0

v4.26.1

v4.27.0

v4.28.0

v4.29.0

v4.3.0

v4.30.0

v4.31.0

v4.32.0

v4.33.0

v4.34.0

v4.35.0

v4.36.0

v4.37.0

v4.38.0

v4.39.0

v4.4.0

v4.40.0

v4.41.0

v4.42.0

v4.42.1

v4.43.0

v4.44.0

v4.45.0

v4.46.0

v4.47.0

v4.5.0

v4.6.0

v4.7.0

v4.8.0

v4.9.0

v4.9.1

v4.9.2

v5.*

v5.0.0

v5.0.0-alpha.1

v5.0.0-alpha.2

v5.0.0-alpha.3

v5.0.0-alpha.4

v5.0.0-alpha.5

v5.0.0-alpha.6

v5.0.0-beta.1

v5.0.0-beta.2

v5.0.0-beta.3

v5.0.0-beta.4

v5.0.1

v5.0.2

v5.1.0

v5.10.0

v5.11.0

v5.12.0

v5.13.0

v5.14.0

v5.15.0

v5.16.0

v5.17.0

v5.17.1

v5.18.0

v5.19.0

v5.2.0

v5.20.0

v5.21.0

v5.22.0

v5.22.1

v5.23.0

v5.24.0

v5.25.0

v5.26.0

v5.27.0

v5.28.0

v5.29.0

v5.3.0

v5.30.0

v5.31.0

v5.32.0

v5.33.0

v5.33.1

v5.34.0

v5.35.0

v5.36.0

v5.37.0

v5.38.0

v5.38.1

v5.39.0

v5.4.0

v5.40.0

v5.41.0

v5.42.0

v5.42.1

v5.43.0

v5.43.1

v5.43.2

v5.44.0

v5.45.0

v5.45.1

v5.45.2

v5.46.0

v5.46.1

v5.47.0

v5.48.0

v5.48.1

v5.49.0

v5.49.1

v5.5.0

v5.50.0

v5.51.0

v5.52.0

v5.53.0

v5.53.1

v5.54.0

v5.55.0

v5.56.0

v5.57.0

v5.58.0

v5.58.1

v5.59.0

v5.6.0

v5.6.1

v5.6.2

v5.60.0

v5.61.0

v5.62.0

v5.63.0

v5.64.0

v5.65.0

v5.65.1

v5.65.2

v5.66.0

v5.67.0

v5.68.0

v5.69.0

v5.7.0

v5.7.1

v5.7.2

v5.7.3

v5.70.0

v5.71.0

v5.72.0

v5.73.0

v5.73.1

v5.73.10

v5.73.11

v5.73.12

v5.73.13

v5.73.14

v5.73.15

v5.73.2

v5.73.3

v5.73.4

v5.73.5

v5.73.6

v5.73.7

v5.73.8

v5.73.9

v5.8.0

v5.9.0

v6.*

v6.0.0

v6.0.0-alpha.1

v6.0.0-alpha.10

v6.0.0-alpha.11

v6.0.0-alpha.12

v6.0.0-alpha.13

v6.0.0-alpha.14

v6.0.0-alpha.15

v6.0.0-alpha.16

v6.0.0-alpha.17

v6.0.0-alpha.18

v6.0.0-alpha.19

v6.0.0-alpha.2

v6.0.0-alpha.20

v6.0.0-alpha.21

v6.0.0-alpha.3

v6.0.0-alpha.4

v6.0.0-alpha.5

v6.0.0-alpha.6

v6.0.0-alpha.7

v6.0.0-alpha.8

v6.0.0-alpha.9

v6.0.0-beta.1

v6.0.0-beta.2

v6.0.0-beta.3

v6.0.0-beta.4

v6.0.0-beta.5

v6.0.0-beta.6

v6.1.0

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.2.4

v6.2.5

v6.3.0

v6.3.1

v6.3.2

v6.3.3

v6.4.0

v6.4.1

v6.5.0

v6.6.0

v6.6.1

v6.6.2

v6.6.3

v6.7.0

v6.7.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33883.json"