Back to overview

CVE-2026-54242

MEDIUM
4.9
CVSS 3.1
Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.24 and 6.20.1, the Glide image proxy's URL validation in src/Imaging/RemoteUrlValidator.php and src/Imaging/GuzzleAdapter.php could be bypassed using DNS rebinding. The remote hostname was validated as publicly routable, but resolved again when the image was actually fetched, so an attacker controlling the hostname's DNS could rebind it to an internal address after validation and cause the server to make HTTP requests to internal addresses, including loopback, private network, and cloud metadata endpoints. This affects sites that pass user-supplied URLs to Glide. This issue is fixed in versions 5.73.24 and 6.20.1.

Metadata

CVE ID
CVE-2026-54242
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-12 16:25 UTC
Published
2026-07-17 20:23 UTC
Last updated
2026-07-17 20:23 UTC
Primary CWE
CWE-367
CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
Vendor / Product
statamic / cms
Sources
cve.org  ·  NVD

Severity & Metrics

4.9 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
statamic cms < 5.73.24, >= 6.0.0, < 6.20.1
Weakness (CWE)
CWESourceDescription
CWE-367 cna CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-918 cna CWE-918: Server-Side Request Forgery (SSRF)
CVSS scores (1)
ScoreSeverityVersionSourceVector
4.9 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
References (5)
Back to overview