Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. This has been fixed in 6.6.2.
Published: 2026-03-12
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via stored XSS
Action: Immediate Patch
AI Analysis

Impact

Statamic CMS, built on Laravel, is vulnerable to a stored cross‑site scripting (XSS) flaw in the control panel color mode preference. Authenticated users with control panel access can store malicious JavaScript that is executed when a higher‑privileged user impersonates the compromised account. This allows the attacker to run arbitrary code in the context of the impersonator, effectively elevating privileges. The weakness corresponds to CWE‑79 (Improper Neutralization of Input During Web Page Generation).

Affected Systems

All Statamic CMS installations running any version prior to 6.6.2 are affected. The vulnerability is specific to the control panel color mode setting feature and is resolved in version 6.6.2 and later.

Risk and Exploitability

The CVSS v3.1 score is 5.4, indicating moderate severity, while the EPSS score is below 1%, suggesting low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an authenticated user with control panel access to inject the payload, and the attack vector relies on the impersonation capability of higher‑privileged users. Given these conditions, the risk is moderate but exploit probability remains low.

Generated by OpenCVE AI on March 19, 2026 at 15:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Statamic CMS to version 6.6.2 or newer.
  • If an upgrade is not immediately feasible, review and restrict account impersonation permissions to reduce risk.
  • Consult Statamic support or community resources for additional guidance.

Generated by OpenCVE AI on March 19, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hcch-w73c-jp4m Statamic vulnerable to privilege escalation via stored cross-site scripting
History

Thu, 19 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Statamic statamic
CPEs cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
Vendors & Products Statamic statamic

Fri, 13 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description Statmatic is a Laravel and Git powered content management system (CMS). Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. This has been fixed in 6.6.2. Statamic is a Laravel and Git powered content management system (CMS). Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. This has been fixed in 6.6.2.
Title Statmatic: privilege escalation via stored cross-site scripting Statamic: privilege escalation via stored cross-site scripting
References

Fri, 13 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Statamic
Statamic cms
Vendors & Products Statamic
Statamic cms

Thu, 12 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Statmatic is a Laravel and Git powered content management system (CMS). Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. This has been fixed in 6.6.2.
Title Statmatic: privilege escalation via stored cross-site scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Statamic Cms Statamic
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T16:38:42.464Z

Reserved: 2026-03-12T14:54:24.270Z

Link: CVE-2026-32612

cve-icon Vulnrichment

Updated: 2026-03-13T14:48:19.706Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:55:09.813

Modified: 2026-03-19T13:28:12.410

Link: CVE-2026-32612

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T10:00:01Z

Weaknesses