Description
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.16 and 6.7.2. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version.
Published: 2026-02-27
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Statamic, a Laravel‑based CMS, allows an authenticated control panel user to trigger arbitrary code execution through enabled Antlers templates in content fields. The flaw can elevate the attacker’s control within the application, permitting full compromise, data loss or theft, and disruption of service. The weakness is a classic code injection failure (CWE‑94).

Affected Systems

The vulnerability affects Statamic CMS versions prior to 5.73.16 and 6.7.2. Any instance that has Antlers‑enabled fields in its content, configuration, or third‑party addons (e.g., SEO Pro) and grants an attacker the necessary edit permissions is at risk. Addons that expose such fields must be updated to a patched Statamic core version.

Risk and Exploitability

With a CVSS score of 8 the CVE is high severity, but the EPSS score of less than 1% indicates low likelihood of active exploitation. The flaw is not listed in CISA’s KEV catalog. Exploitation requires authenticated control panel access and the presence of Antlers‑enabled content, meaning the attack surface is limited to privileged users or compromised accounts. Once executed, the attacker can run arbitrary code within the application context, potentially accessing sensitive configuration and data.

Generated by OpenCVE AI on April 16, 2026 at 05:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security release of Statamic—version 5.73.16 or the next 6.x release that contains the fix.
  • For any addons relying on Statamic, confirm that the core is updated to a patched version and re‑review addon permissions.
  • If immediate patching is not feasible, disable Antlers processing on user‑controllable fields or restrict control‑panel permissions so that only trusted users can edit Antlers‑enabled content.

Generated by OpenCVE AI on April 16, 2026 at 05:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cpv7-q2wx-m8rw Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs
History

Wed, 25 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.11 and 6.4.0. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version. Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.16 and 6.7.2. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version.

Thu, 05 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Statamic statamic
CPEs cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
Vendors & Products Statamic statamic

Mon, 02 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Statamic
Statamic cms
Vendors & Products Statamic
Statamic cms

Fri, 27 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.11 and 6.4.0. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version.
Title Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Statamic Cms Statamic
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T20:57:16.308Z

Reserved: 2026-02-27T15:54:05.136Z

Link: CVE-2026-28425

cve-icon Vulnrichment

Updated: 2026-03-02T19:37:22.555Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T23:16:05.607

Modified: 2026-03-25T21:16:39.127

Link: CVE-2026-28425

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:00:10Z

Weaknesses