CVE-2026-44306

Summary

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks. This vulnerability is fixed in 5.73.21 and 6.15.0.

Affected Software

VendorProductVersion RangeStatus
statamiccms< 5.73.21affected
statamiccms>= 6.0.0, < 6.15.0affected

Weaknesses

  • CWE-204: CWE-204: Observable Response Discrepancy

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References