Statamic Password Reset Link Can Be Hijacked

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.3

Statamic Password Reset Link Can Be Hijacked

CVE-2026-27593 GHSA-jxq9-79vj-rgvw

Summary

An attacker can reset a user's password by sending them a fake password reset link. To protect your users, update to Statamic version 6.3.3 or 5.73.10.

What to do

Update statamic cms to version 5.73.10.
Update statamic cms to version 6.3.3.

Affected software

Vendor	Product	Affected versions	Fix available
statamic	cms	<= 5.73.10	5.73.10
statamic	cms	> 6.0.0-alpha.1 , <= 6.3.3	6.3.3
statamic	statamic	<= 5.73.10	–
statamic	statamic	> 6.0.0 , <= 6.3.3	–

Original title

Statamic is vulnerable to account takeover via password reset link injection

Original description

## Impact

An attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf.

The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset.

## Patches

This has been fixed in 6.3.3 and 5.73.10.

nvd CVSS3.1 8.8

Vulnerability type

CWE-640

Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026