Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs
Description
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.16 and 6.7.2. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Statamic CMS authenticated RCE via Antlers template injection in control panel inputs, allowing full application compromise.
Vulnerability
Overview
CVE-2026-28425 is a remote code execution (RCE) vulnerability in Statamic, a Laravel and Git powered CMS. The flaw resides in the Antlers template engine, which allows user-supplied content to be processed as template code. Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs could inject arbitrary Antlers expressions, leading to code execution in the application context [1][4]. The root cause is insufficient sanitization of user-controlled content processed by the Antlers engine.
Exploitation
Conditions
Exploitation requires the attacker to be an authenticated user with specific control panel permissions. The vulnerability is present in any input where Antlers is explicitly enabled: content fields with Antlers enabled (requiring field configuration and entry edit permissions), built-in configurations such as Forms email notification settings (requiring configuration permission), or third-party addons like SEO Pro that add Antlers-enabled fields [1][4]. The attacker must have the relevant control panel permissions for each attack vector, meaning not all authenticated users can exploit this without proper privileges.
Impact
Successful exploitation allows an attacker to achieve remote code execution within the application context. This could lead to full compromise of the application, including access to sensitive configuration data, modification or exfiltration of data, and potential impact on availability [1][4]. The severity is high given the potential for complete loss of confidentiality, integrity, and availability.
Mitigation
The vulnerability has been patched in Statamic versions 5.73.16 and 6.7.2 [1][2][4]. Users should upgrade to these versions immediately. Administrators of addons that depend on Statamic should ensure they are running a patched Statamic version after updating [4]. No workarounds are provided; the fix requires updating the core CMS package.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
statamic/cmsPackagist | < 5.73.16 | 5.73.16 |
statamic/cmsPackagist | >= 6.0.0-alpha.1, < 6.7.2 | 6.7.2 |
Affected products
2- statamic/cmsv5Range: < 5.73.16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-cpv7-q2wx-m8rwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28425ghsaADVISORY
- github.com/statamic/cms/releases/tag/v5.73.11mitrex_refsource_MISC
- github.com/statamic/cms/releases/tag/v5.73.16ghsaWEB
- github.com/statamic/cms/releases/tag/v6.4.0mitrex_refsource_MISC
- github.com/statamic/cms/releases/tag/v6.7.2ghsaWEB
- github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.