Statamic CMS versions 5.73.8 and earlier, and 6.0.0‑alpha.1 through 6.3.1, contain a stored cross‑site scripting flaw in html fieldtypes. Authenticated users who possess field‑management permissions can embed malicious JavaScript into content. When higher‑privileged users view the compromised content, the injected script runs with the victim’s privileges, enabling actions such as session hijacking, data theft, or further system compromise.

The affected product is the Statamic content‑management system. Vulnerable releases include 5.73.8 and all prior 5.x versions, as well as every 6.x release up to and including 6.3.1. The flaw was addressed in 5.73.9 and 6.3.2.

The flaw is assigned a CVSS score of 8.1 and an EPSS score of less than 1 %, indicating a high severity but a low probability of malicious exploitation at present. It is not listed in the CISA KEV catalog. Exploitation requires an authenticated account with field‑management permissions; the attacker injects the payload via the CMS UI. The payload then executes in the browser session of any higher‑privileged user who views the affected page, allowing the attacker to elevate privileges indirectly. Because the attack vector is access through normal CMS operations and the primary requirement is a legitimate account with certain permissions, the path to exploitation is limited but feasible for insiders or compromised accounts.