CVE-2026-33885: CWE-601: URL Redirection to Untrusted Site ('Open Redirect') in statamic cms
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. This has been fixed in 5.73.16 and 6.7.2.
AI Analysis
Technical Summary
CVE-2026-33885 is an open redirect vulnerability in Statamic CMS affecting versions before 5.73.16 and between 6.0.0.alpha.1 and 6.7.2. The vulnerability arises because the external URL detection mechanism used to validate redirects on unauthenticated endpoints can be bypassed. This flaw permits an attacker to redirect users to arbitrary external URLs following certain user actions like form submissions or authentication processes. The vulnerability is addressed in Statamic CMS versions 5.73.16 and 6.7.2.
Potential Impact
Successful exploitation of this vulnerability allows an attacker to redirect users to untrusted external websites, which can be used in phishing attacks or to deliver malicious content. The CVSS score of 6.1 (medium severity) reflects the potential for limited confidentiality and integrity impact without direct system compromise or denial of service.
Mitigation Recommendations
Upgrade Statamic CMS to version 5.73.16 or later, or 6.7.2 or later, where the open redirect vulnerability has been fixed. No other specific mitigations are indicated by the vendor advisory. Patch status is confirmed by the version fixes noted in the description.
CVE-2026-33885: CWE-601: URL Redirection to Untrusted Site ('Open Redirect') in statamic cms
Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. This has been fixed in 5.73.16 and 6.7.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33885 is an open redirect vulnerability in Statamic CMS affecting versions before 5.73.16 and between 6.0.0.alpha.1 and 6.7.2. The vulnerability arises because the external URL detection mechanism used to validate redirects on unauthenticated endpoints can be bypassed. This flaw permits an attacker to redirect users to arbitrary external URLs following certain user actions like form submissions or authentication processes. The vulnerability is addressed in Statamic CMS versions 5.73.16 and 6.7.2.
Potential Impact
Successful exploitation of this vulnerability allows an attacker to redirect users to untrusted external websites, which can be used in phishing attacks or to deliver malicious content. The CVSS score of 6.1 (medium severity) reflects the potential for limited confidentiality and integrity impact without direct system compromise or denial of service.
Mitigation Recommendations
Upgrade Statamic CMS to version 5.73.16 or later, or 6.7.2 or later, where the open redirect vulnerability has been fixed. No other specific mitigations are indicated by the vendor advisory. Patch status is confirmed by the version fixes noted in the description.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T15:10:05.681Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c6efce3c064ed76ff462d8
Added to database: 3/27/2026, 8:59:58 PM
Last enriched: 4/4/2026, 10:55:05 AM
Last updated: 5/11/2026, 9:30:50 PM
Views: 32
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.