CVE-2026-28426
Statamic vulnerable to privilege escalation via stored cross-site scripting
CVSS Score
8.7
EPSS Score
0.0%
EPSS Percentile
0th
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.
| CWE | CWE-79 |
| Vendor | statamic |
| Product | cms |
| Published | Feb 27, 2026 |
| Last Updated | Mar 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for statamic cms
Be the first to know when new high vulnerabilities affecting statamic cms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
statamic / cms
< 5.73.11 >= 6.0.0, < 6.4.0