Statamic Remote Code Execution Vulnerability via Antlers-Enabled Inputs

A remote code execution vulnerability has been identified in Statamic CMS versions prior to 5.73.11 and 6.4.0. This issue affects authenticated control panel users who have access to Antlers-enabled inputs. Exploitation is possible in contexts where Antlers is applied to user-controlled content, such as specific content fields, certain built-in configuration options like Forms email notifications, or through third-party addons that introduce Antlers-enabled fields. The vulnerability allows for a complete compromise of the application, including unauthorized access to sensitive configuration data, manipulation or exfiltration of information, and potential disruptions to application availability.

Impact

Exploitation of this vulnerability could lead to remote code execution within the application, allowing an attacker to fully compromise the application environment. This includes access to sensitive configuration files, the ability to modify or extract data, and potential disruptions to the application's availability.

Remediation

Users can upgrade to Statamic versions 5.73.11 or 6.4.0 to address this vulnerability. Those using addons that depend on Statamic should ensure they are running a patched version after the update.