CVE-2026-33882: Statamic's Markdown preview endpoint exposes sensitive user data

March 26, 2026

The markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes.

References

github.com/advisories/GHSA-cvh3-23vq-w7h4
github.com/statamic/cms
github.com/statamic/cms/security/advisories/GHSA-cvh3-23vq-w7h4
nvd.nist.gov/vuln/detail/CVE-2026-33882

Code Behaviors & Features

Detect and mitigate CVE-2026-33882 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →