Intel

AIKIDO-2026-10615

statamic/cms is vulnerable to Observable Discrepancy

Observable DiscrepancyCVE-2026-44306 Published Apr 28, 2026

25

Low Risk

This Affects:

PHPstatamic/cms
0.0.1 - 5.73.20
Fixed in 5.73.21
6.0.0 - 6.14.0
Fixed in 6.15.0
Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to user enumeration through the password reset broker result, which discloses whether a submitted email corresponds to a registered user or has been throttled.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

statamic/cms is vulnerable to Observable Discrepancy in versions 0.0.1 - 5.73.20 and 6.0.0 - 6.14.0.

How to fix this

Upgrade the statamic/cms library to the patch version.