High severityNVD Advisory· Published Feb 21, 2026· Updated Feb 24, 2026

Statamic affected by privilege escalation via stored Cross-site Scripting

CVE-2026-27196

Description

Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This issue has been fixed in 6.3.2 and 5.73.9.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Statmatic CMS stored XSS in html fieldtype allows authenticated users with field management permissions to inject JS executed by higher-privileged users.

Vulnerability

Statmatic CMS versions 5.73.8 and below, and 6.0.0-alpha.1 through 6.3.1, are affected by a stored cross-site scripting (XSS) vulnerability in the HTML fieldtype [1]. The root cause is that the html fieldtype renders user-provided HTML content without sanitization, allowing injection of malicious JavaScript code that is stored and executed when the field is viewed [2].

Exploitation

An authenticated user with field management permissions can inject arbitrary JavaScript into an HTML fieldtype. The injected script then executes in the context of higher-privileged users (such as administrators) who view the content, enabling privilege escalation [4]. The attack requires network access to the CMS and valid credentials with field creation or editing privileges [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of a higher-privileged user, leading to potential session hijacking, data theft, or actions performed on behalf of the victim [4]. The vulnerability is classified as a stored XSS with a CVSS vector indicating high impact on confidentiality, integrity, and availability, with a scope change [4].

Mitigation

Statamic has released fixes in versions 6.3.2 and 5.73.9. The patch introduces DOMPurify sanitization for the HTML fieldtype and adds a configuration option to disable sanitization if needed [2]. Users should update to the latest patched version to mitigate the vulnerability.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
statamic/cmsPackagist	>= 6.0.0-alpha.1, < 6.3.2	6.3.2
statamic/cmsPackagist	< 5.73.9	5.73.9

Affected products

Statmatic/Statmaticllm-fuzzy
Range: <=5.73.8 or >=6.0.0-alpha.1 <=6.3.1
statamic/cmsv5
Range: >= 6.0.0-alpha.1, < 6.3.2

Patches

6c270dacc2be

[5.x] Sanitize html in html fieldtype (#13992)

https://github.com/statamic/cmsJason VargaFeb 18, 2026via ghsa

commit

3 files changed · +27 −2

package.json+1 −0 modified

@@ -51,6 +51,7 @@
     "body-scroll-lock": "^4.0.0-beta.0",
     "codemirror": "^5.58.2",
     "cookies-js": "^1.2.2",
+    "dompurify": "^3.3.1",
     "floating-vue": "^1.0.0-beta.19",
     "fuse.js": "^7.0.0",
     "highlight.js": "^11.7.0",

package-lock.json+17 −0 modified

@@ -46,6 +46,7 @@
         "body-scroll-lock": "^4.0.0-beta.0",
         "codemirror": "^5.58.2",
         "cookies-js": "^1.2.2",
+        "dompurify": "^3.3.1",
         "floating-vue": "^1.0.0-beta.19",
         "fuse.js": "^7.0.0",
         "highlight.js": "^11.7.0",
@@ -3661,6 +3662,13 @@
       "integrity": "sha512-Q5vtl1W5ue16D+nIaW8JWebSSraJVlK+EthKn7e7UcD4KWsaSJ8BqGPXNaPghgtcn/fhvrN17Tv8ksUsQpiplw==",
       "dev": true
     },
+    "node_modules/@types/trusted-types": {
+      "version": "2.0.7",
+      "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
+      "integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==",
+      "license": "MIT",
+      "optional": true
+    },
     "node_modules/@types/unist": {
       "version": "2.0.6",
       "resolved": "https://registry.npmjs.org/@types/unist/-/unist-2.0.6.tgz",
@@ -4803,6 +4811,15 @@
         "url": "https://github.com/fb55/domhandler?sponsor=1"
       }
     },
+    "node_modules/dompurify": {
+      "version": "3.3.1",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.1.tgz",
+      "integrity": "sha512-qkdCKzLNtrgPFP1Vo+98FRzJnBRGe4ffyCea9IwHB1fyxPOeNTHpLKYGd4Uk9xvNoH0ZoOjwZxNptyMwqrId1Q==",
+      "license": "(MPL-2.0 OR Apache-2.0)",
+      "optionalDependencies": {
+        "@types/trusted-types": "^2.0.7"
+      }
+    },
     "node_modules/domutils": {
       "version": "3.0.1",
       "resolved": "https://registry.npmjs.org/domutils/-/domutils-3.0.1.tgz",

resources/js/components/fieldtypes/HtmlFieldtype.vue+9 −2 modified

@@ -1,9 +1,16 @@
 <template>
-    <div v-html="config.html" />
+    <div v-html="html" />
 </template>
 
 <script>
+import DOMPurify from 'dompurify';
+
 export default {
-    mixins: [Fieldtype]
+    mixins: [Fieldtype],
+    computed: {
+        html() {
+            return DOMPurify.sanitize(this.config.html);
+        }
+    }
 };
 </script>

11ae40e62edd

[6.x] Sanitize html in html fieldtype (#13990)

https://github.com/statamic/cmsJason VargaFeb 18, 2026via ghsa

commit

5 files changed · +35 −8

lang/en/fieldtypes.php+1 −0 modified

@@ -110,6 +110,7 @@
     'group.title' => 'Group',
     'hidden.title' => 'Hidden',
     'html.config.html_instruct' => 'Manage the HTML to be displayed in the publish form. This is for display purposes only, the HTML will not be saved.',
+    'html.config.sanitize_instruct' => 'Whether the HTML should be sanitized before being displayed. Only disable this if you have a good reason.',
     'html.title' => 'HTML',
     'icon.config.set' => 'The name of a custom icon set.',
     'icon.title' => 'Icon',

package.json+1 −0 modified

@@ -63,6 +63,7 @@
     "codemirror": "5.65.12",
     "cookies-js": "^1.2.2",
     "cva": "^1.0.0-beta.3",
+    "dompurify": "^3.3.1",
     "floating-vue": "^5.2.2",
     "fuzzysort": "^3.1.0",
     "highlight.js": "^11.7.0",

package-lock.json+17 −0 modified

@@ -50,6 +50,7 @@
         "codemirror": "5.65.12",
         "cookies-js": "^1.2.2",
         "cva": "^1.0.0-beta.3",
+        "dompurify": "^3.3.1",
         "floating-vue": "^5.2.2",
         "fuzzysort": "^3.1.0",
         "highlight.js": "^11.7.0",
@@ -2882,6 +2883,13 @@
         "csstype": "^3.2.2"
       }
     },
+    "node_modules/@types/trusted-types": {
+      "version": "2.0.7",
+      "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
+      "integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==",
+      "license": "MIT",
+      "optional": true
+    },
     "node_modules/@types/unist": {
       "version": "3.0.3",
       "resolved": "https://registry.npmjs.org/@types/unist/-/unist-3.0.3.tgz",
@@ -4414,6 +4422,15 @@
         "url": "https://github.com/fb55/domhandler?sponsor=1"
       }
     },
+    "node_modules/dompurify": {
+      "version": "3.3.1",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.1.tgz",
+      "integrity": "sha512-qkdCKzLNtrgPFP1Vo+98FRzJnBRGe4ffyCea9IwHB1fyxPOeNTHpLKYGd4Uk9xvNoH0ZoOjwZxNptyMwqrId1Q==",
+      "license": "(MPL-2.0 OR Apache-2.0)",
+      "optionalDependencies": {
+        "@types/trusted-types": "^2.0.7"
+      }
+    },
     "node_modules/domutils": {
       "version": "3.2.2",
       "resolved": "https://registry.npmjs.org/domutils/-/domutils-3.2.2.tgz",

resources/js/components/fieldtypes/HtmlFieldtype.vue+10 −8 modified

@@ -1,11 +1,13 @@
-<template>
-    <div v-html="config.html" />
-</template>
+<script setup>
+import Fieldtype from '@/components/fieldtypes/fieldtype';
+import { computed } from 'vue';
+import DOMPurify from 'dompurify';
 
-<script>
-import Fieldtype from './Fieldtype.vue';
+const props = defineProps(Fieldtype.props);
 
-export default {
-    mixins: [Fieldtype],
-};
+const html = computed(() => props.config.sanitize ? DOMPurify.sanitize(props.config.html) : props.config.html);
 </script>
+
+<template>
+    <div v-html="html" />
+</template>

src/Fieldtypes/Html.php+6 −0 modified

@@ -21,6 +21,12 @@ protected function configFieldItems(): array
                         'mode' => 'htmlmixed',
                         'mode_selectable' => false,
                     ],
+                    'sanitize' => [
+                        'display' => __('Sanitize'),
+                        'instructions' => __('statamic::fieldtypes.html.config.sanitize_instruct'),
+                        'type' => 'toggle',
+                        'default' => true,
+                    ],
                 ],
             ],
         ];

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-8r7r-f4gm-wcpqghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-27196ghsaADVISORY
github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347bghsax_refsource_MISCWEB
github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3ghsax_refsource_MISCWEB
github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpqghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000