Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0.
Published: 2026-03-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

Statamic CMS is vulnerable to a stored cross‑site scripting flaw that lets authenticated users with asset upload rights inject arbitrary JavaScript into SVG files. When a victim views the manipulated SVG, the embedded code executes in the victim’s browser, enabling data theft or session hijacking. This weakness arises from a bypass of the system’s SVG sanitization and is classified as CWE‑79.

Affected Systems

The issue affects Statamic CMS versions earlier than 5.73.14 and 6.7.0. Any installation that allows asset uploads for authenticated users is at risk until the patch is applied.

Risk and Exploitability

The CVSS base score of 8.7 indicates high severity, yet the EPSS probability is below 1 % and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker first obtain legitimate credentials with upload privileges, after which they can upload a crafted SVG that bypasses sanitization. The impact is limited to users who view the malicious asset, but the potential for wide spread remains if many users consume the file.

Generated by OpenCVE AI on March 23, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Statamic to version 5.73.14 or later, or 6.7.0 or later
  • If an upgrade is not feasible, restrict or revoke asset upload permissions for authenticated users
  • Verify that the sanitization routine is active and monitor for anomalous SVG uploads

Generated by OpenCVE AI on March 23, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7rcv-55mj-chg7 Statamic has Stored XSS via SVG Sanitization Bypass
History

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Statamic statamic
CPEs cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
Vendors & Products Statamic statamic

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Statamic
Statamic cms
Vendors & Products Statamic
Statamic cms

Fri, 20 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0.
Title Statamic has Stored XSS via SVG Sanitization Bypass
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Statamic Cms Statamic
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:46:16.341Z

Reserved: 2026-03-17T22:16:36.719Z

Link: CVE-2026-33172

cve-icon Vulnrichment

Updated: 2026-03-25T13:46:12.475Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T22:16:28.973

Modified: 2026-03-23T18:46:04.647

Link: CVE-2026-33172

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:27Z

Weaknesses