Executive Summary

CVE-2026-33883 is a reflected Cross-Site Scripting (XSS) vulnerability in the Statamic CMS package affecting versions prior to 5.73.16 and 6.7.2.

The vulnerability arises because the `user:reset_password_form` tag improperly renders user-supplied input from the redirect parameter directly into HTML without proper escaping.

This flaw allows an attacker to craft a malicious URL that executes arbitrary JavaScript code in the victim’s browser when the password reset form is accessed.

It has been fixed in versions 5.73.16 and 6.7.2 by properly escaping the redirect parameter to prevent script injection.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to execute arbitrary JavaScript in the browser of anyone who clicks a specially crafted malicious URL.

The attack requires no authentication and can be performed remotely over the network.

The potential impacts include limited exposure of confidential information and limited modification of data due to the script execution.

However, it does not affect the availability of the service.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability is a reflected Cross-Site Scripting (XSS) flaw that allows execution of arbitrary JavaScript in a victim's browser, potentially leading to limited data exposure and modification.

Such vulnerabilities can impact compliance with standards like GDPR and HIPAA because they may lead to unauthorized access or manipulation of personal or sensitive data, violating requirements for data protection and integrity.

However, the confidentiality and integrity impacts are rated as low, and there is no impact on availability.

Organizations using affected versions of Statamic CMS should apply the patches to mitigate risks and maintain compliance with relevant data protection regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the user:reset_password_form tag in Statamic CMS rendering user input from the redirect parameter without proper escaping, leading to reflected Cross-Site Scripting (XSS). Detection can involve checking if your Statamic CMS version is prior to 5.73.16 or 6.7.2.

To detect exploitation attempts on your network or system, you can monitor HTTP requests for suspicious URLs containing the user:reset_password_form tag with unusual or encoded JavaScript payloads in the redirect parameter.

Example commands to detect such attempts might include searching web server logs for the vulnerable URL pattern and suspicious script content:

• grep -i 'user:reset_password_form' /var/log/apache2/access.log
• grep -i 'redirect=' /var/log/apache2/access.log | grep -E '<script|%3Cscript'

Additionally, using web vulnerability scanners or tools that detect reflected XSS by testing the redirect parameter in the password reset form URL can help identify the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade your Statamic CMS installation to version 5.73.16 or 6.7.2 or later, where the vulnerability has been fixed by properly escaping the redirect parameter.

Until you can upgrade, consider implementing web application firewall (WAF) rules to block requests containing suspicious script payloads in the redirect parameter of the user:reset_password_form.

Also, educate users to avoid clicking on suspicious password reset links and monitor your logs for exploitation attempts.

Useful 0 Not Useful 0