What is GHSA-pf9c-ch8r-2958?

GHSA-pf9c-ch8r-2958 is a security advisory published by GitHub Security Advisories with Medium severity. Statamic CMS: Server-Side Request Forgery via Glide

Which CVE IDs does GHSA-pf9c-ch8r-2958 cover?

GHSA-pf9c-ch8r-2958 covers the following CVE IDs: CVE-2026-45660. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-pf9c-ch8r-2958?

GHSA-pf9c-ch8r-2958 has a CVSS v3 base score of 5.4, published by GitHub Security Advisories.

Which products are affected by GHSA-pf9c-ch8r-2958?

GHSA-pf9c-ch8r-2958 affects 2 products, including: composer/statamic/cms:\u003c 5.73.22; composer/statamic/cms:\u003e= 6.0.0-alpha.1, \u003c 6.18.1.

GHSA-pf9c-ch8r-2958MediumCVSS 5.4

Statamic CMS: Server-Side Request Forgery via Glide

Vendor

GitHub Security Advisories

Published

May 18, 2026

Last Modified

May 18, 2026

🔗 CVE IDs covered (1)

CVE-2026-45660 →

📋 Description

### Impact The Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP requests to internal addresses — including loopback, private network, and cloud metadata endpoints. This affects sites that pass user-supplied URLs to Glide. Sites running PHP 8.3 or newer are not affected. ### Patches This has been fixed in 5.73.22 and 6.18.1

🎯 Affected products2

composer/statamic/cms:< 5.73.22
composer/statamic/cms:>= 6.0.0-alpha.1, < 6.18.1

🔗 References (2)

https://github.com/statamic/cms/security/advisories/GHSA-pf9c-ch8r-2958
https://github.com/advisories/GHSA-pf9c-ch8r-2958