GHSA-v5c4-wcpj-x73m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-v5c4-wcpj-x73m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-v5c4-wcpj-x73m/GHSA-v5c4-wcpj-x73m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-v5c4-wcpj-x73m
- Aliases
-
- CVE-2026-54242
- Published
- 2026-06-26T23:03:28Z
- Modified
- 2026-06-26T23:15:08.624826990Z
- Severity
-
- 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding)
- Details
-
Impact
The Glide image proxy's URL validation could be bypassed using DNS rebinding. The remote hostname was validated as publicly routable, but resolved again when the image was actually fetched, so an attacker controlling the hostname's DNS could rebind it to an internal address after validation. This could cause the server to make HTTP requests to internal addresses — including loopback, private network, and cloud metadata endpoints.
This affects sites that pass user-supplied URLs to Glide.
Patches
This has been fixed in 5.73.24 and 6.20.1.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-367", "CWE-918" ], "github_reviewed": true, "severity": "MODERATE", "github_reviewed_at": "2026-06-26T23:03:28Z" }- References
Affected packages
Packagist / statamic/cms
Package
- Name
- statamic/cms
- Purl
- pkg:composer/statamic%2Fcms
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.73.24
Affected versions
v3.*
v3.0.0-beta.1
v3.0.0-beta.2
v3.0.0-beta.3
v3.0.0-beta.4
v3.0.0-beta.5
v3.0.0-beta.6
v3.0.0-beta.7
v3.0.0-beta.8
v3.0.0-beta.9
v3.0.0-beta.10
v3.0.0-beta.11
v3.0.0-beta.12
v3.0.0-beta.13
v3.0.0-beta.14
v3.0.0-beta.15
v3.0.0-beta.16
v3.0.0-beta.17
v3.0.0-beta.18
v3.0.0-beta.19
v3.0.0-beta.20
v3.0.0-beta.21
v3.0.0-beta.22
v3.0.0-beta.23
v3.0.0-beta.24
v3.0.0-beta.25
v3.0.0-beta.26
v3.0.0-beta.27
v3.0.0-beta.28
v3.0.0-beta.29
v3.0.0-beta.30
v3.0.0-beta.31
v3.0.0-beta.32
v3.0.0-beta.33
v3.0.0-beta.34
v3.0.0-beta.35
v3.0.0-beta.36
v3.0.0-beta.37
v3.0.0-beta.38
v3.0.0-beta.39
v3.0.0-beta.40
v3.0.0-beta.41
v3.0.0-beta.42
v3.0.0-beta.43
v3.0.0-beta.44
v3.0.0-beta.45
v3.0.0-beta.46
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.15
v3.0.16
v3.0.17
v3.0.18
v3.0.19
v3.0.20
v3.0.21
v3.0.22
v3.0.23
v3.0.24
v3.0.25
v3.0.26
v3.0.27
v3.0.28
v3.0.29
v3.0.30
v3.0.31
v3.0.32
v3.0.33
v3.0.34
v3.0.35
v3.0.35.1
v3.0.36
v3.0.36.1
v3.0.37
v3.0.38
v3.0.39
v3.0.40
v3.0.41
v3.0.42
v3.0.43
v3.0.44
v3.0.45
v3.0.46
v3.0.47
v3.0.48
v3.0.49
v3.1.0-alpha.1
v3.1.0-alpha.2
v3.1.0-alpha.3
v3.1.0-alpha.4
v3.1.0-beta.1
v3.1.0-beta.2
v3.1.0-beta.3
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.1.10
v3.1.11
v3.1.12
v3.1.13
v3.1.14
v3.1.15
v3.1.16
v3.1.17
v3.1.18
v3.1.19
v3.1.20
v3.1.21
v3.1.22
v3.1.23
v3.1.24
v3.1.25
v3.1.26
v3.1.27
v3.1.28
v3.1.29
v3.1.30
v3.1.31
v3.1.32
v3.1.33
v3.1.34
v3.1.35
v3.2.0-beta.1
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.2.15
v3.2.16
v3.2.17
v3.2.18
v3.2.19
v3.2.20
v3.2.21
v3.2.22
v3.2.23
v3.2.24
v3.2.25
v3.2.26
v3.2.27
v3.2.28
v3.2.29
v3.2.30
v3.2.31
v3.2.32
v3.2.33
v3.2.34
v3.2.35
v3.2.36
v3.2.37
v3.2.38
v3.2.39
v3.3.0-beta.1
v3.3.0-beta.2
v3.3.0-beta.3
v3.3.0-beta.4
v3.3.0-beta.5
v3.3.0-beta.6
v3.3.0-beta.7
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.3.10
v3.3.11
v3.3.12
v3.3.13
v3.3.14
v3.3.15
v3.3.16
v3.3.17
v3.3.18
v3.3.19
v3.3.20
v3.3.21
v3.3.22
v3.3.23
v3.3.24
v3.3.25
v3.3.26
v3.3.27
v3.3.28
v3.3.29
v3.3.30
v3.3.31
v3.3.32
v3.3.33
v3.3.34
v3.3.35
v3.3.36
v3.3.37
v3.3.38
v3.3.39
v3.3.40
v3.3.41
v3.3.42
v3.3.43
v3.3.44
v3.3.45
v3.3.46
v3.3.47
v3.3.48
v3.3.49
v3.3.50
v3.3.51
v3.3.52
v3.3.53
v3.3.54
v3.3.55
v3.3.56
v3.3.57
v3.3.58
v3.3.59
v3.3.60
v3.3.61
v3.3.62
v3.3.63
v3.3.64
v3.3.65
v3.3.66
v3.3.67
v3.3.68
v3.4.0
v3.4.1
v3.4.2
v3.4.3
v3.4.4
v3.4.5
v3.4.6
v3.4.7
v3.4.8
v3.4.9
v3.4.10
v3.4.11
v3.4.12
v3.4.13
v3.4.14
v3.4.15
v3.4.16
v3.4.17
v4.*
v4.0.0-alpha.1
v4.0.0-alpha.2
v4.0.0-alpha.3
v4.0.0-alpha.4
v4.0.0-alpha.5
v4.0.0-beta.1
v4.0.0-beta.2
v4.0.0-beta.3
v4.0.0-beta.4
v4.0.0
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.2.0
v4.3.0
v4.4.0
v4.5.0
v4.6.0
v4.7.0
v4.8.0
v4.9.0
v4.9.1
v4.9.2
v4.10.0
v4.10.1
v4.10.2
v4.11.0
v4.12.0
v4.13.0
v4.13.1
v4.13.2
v4.14.0
v4.15.0
v4.16.0
v4.17.0
v4.18.0
v4.19.0
v4.20.0
v4.21.0
v4.22.0
v4.23.0
v4.23.1
v4.23.2
v4.24.0
v4.25.0
v4.26.0
v4.26.1
v4.27.0
v4.28.0
v4.29.0
v4.30.0
v4.31.0
v4.32.0
v4.33.0
v4.34.0
v4.35.0
v4.36.0
v4.37.0
v4.38.0
v4.39.0
v4.40.0
v4.41.0
v4.42.0
v4.42.1
v4.43.0
v4.44.0
v4.45.0
v4.46.0
v4.47.0
v4.48.0
v4.49.0
v4.50.0
v4.51.0
v4.52.0
v4.53.0
v4.53.1
v4.53.2
v4.54.0
v4.55.0
v4.56.0
v4.56.1
v4.57.0
v4.57.1
v4.57.2
v4.57.3
v4.58.0
v4.58.1
v4.58.2
v4.58.3
v5.*
v5.0.0-alpha.1
v5.0.0-alpha.2
v5.0.0-alpha.3
v5.0.0-alpha.4
v5.0.0-alpha.5
v5.0.0-alpha.6
v5.0.0-beta.1
v5.0.0-beta.2
v5.0.0-beta.3
v5.0.0-beta.4
v5.0.0
v5.0.1
v5.0.2
v5.1.0
v5.2.0
v5.3.0
v5.4.0
v5.5.0
v5.6.0
v5.6.1
v5.6.2
v5.7.0
v5.7.1
v5.7.2
v5.7.3
v5.8.0
v5.9.0
v5.10.0
v5.11.0
v5.12.0
v5.13.0
v5.14.0
v5.15.0
v5.16.0
v5.17.0
v5.17.1
v5.18.0
v5.19.0
v5.20.0
v5.21.0
v5.22.0
v5.22.1
v5.23.0
v5.24.0
v5.25.0
v5.26.0
v5.27.0
v5.28.0
v5.29.0
v5.30.0
v5.31.0
v5.32.0
v5.33.0
v5.33.1
v5.34.0
v5.35.0
v5.36.0
v5.37.0
v5.38.0
v5.38.1
v5.39.0
v5.40.0
v5.41.0
v5.42.0
v5.42.1
v5.43.0
v5.43.1
v5.43.2
v5.44.0
v5.45.0
v5.45.1
v5.45.2
v5.46.0
v5.46.1
v5.47.0
v5.48.0
v5.48.1
v5.49.0
v5.49.1
v5.50.0
v5.51.0
v5.52.0
v5.53.0
v5.53.1
v5.54.0
v5.55.0
v5.56.0
v5.57.0
v5.58.0
v5.58.1
v5.59.0
v5.60.0
v5.61.0
v5.62.0
v5.63.0
v5.64.0
v5.65.0
v5.65.1
v5.65.2
v5.66.0
v5.67.0
v5.68.0
v5.69.0
v5.70.0
v5.71.0
v5.72.0
v5.73.0
v5.73.1
v5.73.2
v5.73.3
v5.73.4
v5.73.5
v5.73.6
v5.73.7
v5.73.8
v5.73.9
v5.73.10
v5.73.11
v5.73.12
v5.73.13
v5.73.14
v5.73.15
v5.73.16
v5.73.17
v5.73.18
v5.73.19
v5.73.20
v5.73.21
v5.73.22
v5.73.23
Packagist / statamic/cms
Package
- Name
- statamic/cms
- Purl
- pkg:composer/statamic%2Fcms