Volerion logoVolerion
Volerion logoVolerion

Statamic CMS Email Enumeration Vulnerability in Password Reset Forms

Vulnerability

A vulnerability in Statamic CMS versions prior to 5.73.21 and 6.15.0 allows for email enumeration through the forgot password forms. The responses from these forms inadvertently indicated whether an account was associated with a given email address. This behavior could be exploited by an unauthenticated attacker to identify valid users, potentially facilitating subsequent credential-based attacks.

Impact

Exploitation of this vulnerability could lead to user enumeration, allowing attackers to identify valid accounts for targeted credential-based attacks.

Remediation

Users can upgrade to Statamic CMS versions 5.73.21 or 6.15.0, where this vulnerability has been addressed. In the patched versions, the forgot password forms provide a consistent generic response, regardless of whether the submitted email corresponds to a registered user.

Added: May 12, 2026, 10:23 PM
Updated: May 12, 2026, 10:23 PM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
0.6
exploitability
8.3
remediation
7.7
relevance
8.1
threat
0.0
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.