CVE-2026-33885
Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential
6.1
MEDIUM
CVSS 3.1
EPSS 0.05%
Description
### Impact The external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. ### Patches This has been fixed in 5.73.16 and 6.7.2.
How to fix CVE-2026-33885
To remediate CVE-2026-33885, upgrade the affected package to a fixed version below.
- —upgrade to 5.73.16 or later
Is CVE-2026-33885 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 5.73.16
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |