CVE-2026-27593: Statamic's 'Choose Your Own Adventure' Password Reset

A critical vulnerability in Statamic CMS turns the password reset feature into an account takeover weapon. By injecting a malicious base URL into the reset request, attackers can force the system to email valid users a link that sends their reset token directly to the attacker's server.