CVE-2026-45660— Statamic: Server-Side Request Forgery via Glide
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45660
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Statamic: Server-Side Request Forgery via Glide
Source: NVD (National Vulnerability Database)
Vulnerability Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.22 and 6.18.1, the Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP requests to internal addresses — including loopback, private network, and cloud metadata endpoints. This affects sites that pass user-supplied URLs to Glide. Sites running PHP 8.3 or newer are not affected. This vulnerability is fixed in 5.73.22 and 6.18.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-45660
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45660
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-45660 (1)
- 🔗 Server-Side Request Forgery via Glide · Advisory · statamic/cms · GitHubx_refsource_CONFIRM
IV. Related Vulnerabilities
Same product: cms
- CVE-2026-44306
Statamic: Email enumeration via forgot password endpoint - CVE-2026-44011
Craft CMS: Potential authenticated Remote Code Execution via - CVE-2026-44012
Craft CMS: Missing Volume Permission Check in AssetsControll - CVE-2026-44010
Craft CMS: Missing Authorization in GraphQL Address Resolver - CVE-2026-7508
Bootstrap CMS Page Creation show.blade.php code injection
Same vendor: statamic
- CVE-2026-44306
Statamic: Email enumeration via forgot password endpoint - CVE-2026-41175
Statamic: Unsafe method invocation via query value resolutio - CVE-2026-33887
Statamic allows unauthorized content access through missing - CVE-2026-33886
Statamic's sensitive configuration values are exposed to con - CVE-2026-33885
Statamic has an Open Redirect on unauthenticated endpoints v
Same weakness: CWE-918
- CVE-2026-44285
FastGPT: SSRF Protection Bypass via `externalFile` in Datase - CVE-2026-48555
Spatie Laravel Media Library < 11.23.0 SSRF via addMediaFrom - CVE-2026-49372
TeamCity未授权SSRF漏洞 - CVE-2026-44652
SillyTavern: SSRF vulnerability in the CORS proxy middleware - CVE-2026-46372
SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated ba
V. Comments for CVE-2026-45660
No comments yet