VYPR
High severityNVD Advisory· Published Feb 21, 2026· Updated Feb 24, 2026

Statamic affected by privilege escalation via stored Cross-site Scripting

CVE-2026-27196

Description

Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This issue has been fixed in 6.3.2 and 5.73.9.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
statamic/cmsPackagist
>= 6.0.0-alpha.1, < 6.3.26.3.2
statamic/cmsPackagist
< 5.73.95.73.9

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.