CVE-2026-45660: Statamic CMS: Server-Side Request Forgery via Glide

May 18, 2026 (updated June 9, 2026)

The Glide image proxy’s URL validation could be bypassed using an IP representation that wasn’t normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP requests to internal addresses — including loopback, private network, and cloud metadata endpoints.

This affects sites that pass user-supplied URLs to Glide. Sites running PHP 8.3 or newer are not affected.

References

github.com/advisories/GHSA-pf9c-ch8r-2958
github.com/statamic/cms/security/advisories/GHSA-pf9c-ch8r-2958
nvd.nist.gov/vuln/detail/CVE-2026-45660

Code Behaviors & Features

Detect and mitigate CVE-2026-45660 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →