Statamic CMS vulnerable to Cross-site Scripting via uploaded assets
Description
Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an assets field, or within the control panel which requires authentication. This issue has been patched on 3.4.15 and 4.36.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Statamic CMS before 3.4.15 and 4.36.0 allows HTML files disguised as images to bypass mime validation, enabling XSS via asset uploads on front-end forms or authenticated control panel.
Overview
Statamic CMS, a Laravel and Git-powered content management system, contained a vulnerability in how it validated uploaded file types. Prior to versions 3.4.15 and 4.36.0, the mime validation could be bypassed, allowing an attacker to upload HTML files that were crafted to appear as image files. This is a server-side validation weakness, not a client-side issue. [1][2]
Exploitation
The attack surface exists in two contexts: front-end forms that include an assets field via the "Forms" feature, and the authenticated control panel. For the control panel, authentication is required, limiting the attack to authenticated users. In either case, the uploaded file bypasses mime validation, so an HTML file containing JavaScript can be stored on the server. When that file is later accessed or rendered (for example, if an administrator or visitor views the uploaded file directly or via a media preview), the embedded script executes in the browser of the viewing user. This is a stored cross-site scripting (XSS) vulnerability. [2][4]
Impact
An attacker who successfully uploads a malicious HTML file can execute arbitrary JavaScript in the context of the Statamic CMS domain. This can lead to session hijacking, data theft, or defacement, depending on the privileges of the victim user. The advisory notes that this issue is a cross-site scripting vulnerability, and the CVSS v4.0 vector (if published) would reflect that. [1][4]
Mitigation
The vulnerability has been patched in Statamic CMS versions 3.4.15 and 4.36.0. Users are strongly advised to upgrade to these versions or later. The release notes confirm the fix was included in these specific tag releases. [2]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
statamic/cmsPackagist | < 3.4.15 | 3.4.15 |
statamic/cmsPackagist | >= 4.0.0, < 4.36.0 | 4.36.0 |
Affected products
2- statamic/cmsv5Range: < 3.4.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-8jjh-j3c2-cjcvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-48701ghsaADVISORY
- github.com/statamic/cms/releases/tag/v3.4.15ghsax_refsource_MISCWEB
- github.com/statamic/cms/releases/tag/v4.36.0ghsax_refsource_MISCWEB
- github.com/statamic/cms/security/advisories/GHSA-8jjh-j3c2-cjcvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.