CVE-2026-28423 — Statamic Vulnerable to Server-Side Request Forgery via Glide

Description

### Impact When Glide image manipulation is used in insecure mode (which is *not* the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. ## Patches This has been fixed in 5.73.11 and 6.4.0.

How to fix CVE-2026-28423

To remediate CVE-2026-28423, upgrade the affected package to a fixed version below.

—upgrade to 5.73.11 or later

Is CVE-2026-28423 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 5.73.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-28423
PATCHgithub.com/statamic/cms
WEBgithub.com/statamic/cms/releases/tag/v5.73.11
WEBgithub.com/statamic/cms/releases/tag/v6.4.0
WEB