CVE-2026-33882
Statamic's Markdown preview endpoint exposes sensitive user data
6.5
MEDIUM
CVSS 3.1
EPSS 0.11%
Description
### Impact The markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes. ### Patches This has been fixed in 5.73.16 and 6.7.2.
How to fix CVE-2026-33882
To remediate CVE-2026-33882, upgrade the affected package to a fixed version below.
- —upgrade to 5.73.16 or later
Is CVE-2026-33882 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 5.73.16
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |