CVE-2026-44306
CWE-204Published: May 12, 2026· Updated: May 13, 2026
Official Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks. This vulnerability is fixed in 5.73.21 and 6.15.0.
Technical Analysis
CVE-2026-44306 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
All References (1)
Quick Facts
Related CVEs (CWE-204)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-44306 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts