Statamic vulnerable to privilege escalation via stored cross-site scripting
Description
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Statmatic CMS SVG/icon components allows authenticated users to inject JavaScript, leading to privilege escalation when viewed by higher-privileged users.
Vulnerability
Overview
CVE-2026-28426 is a stored cross-site scripting (XSS) vulnerability in Statmatic, a Laravel and Git powered CMS. The flaw resides in the SVG and icon-related components, where insufficient sanitization of uploaded or embedded SVG content allows an authenticated user with appropriate permissions to inject arbitrary JavaScript. This malicious script is stored on the server and executed in the browser of any user who views the affected component, including higher-privileged users such as administrators [1][4].
Exploitation
Details
An attacker must have an authenticated account with permissions to upload or modify SVG files or icon configurations. The attack is network-based, requires low complexity, and does not require user interaction from the victim beyond viewing the compromised page. The vulnerability is classified with a CVSS v4.0 vector that reflects a scope change, as the injected script can affect resources beyond the vulnerable component [4]. The attacker can craft a malicious SVG that, when rendered, executes JavaScript in the context of the victim's session.
Impact
Successful exploitation enables privilege escalation: an attacker with lower privileges can execute arbitrary actions as a higher-privileged user, such as creating new admin accounts, modifying site content, or exfiltrating sensitive data. The stored nature of the XSS means the payload persists until removed, potentially affecting multiple victims [1][4].
Mitigation
The vulnerability has been patched in Statmatic versions 5.73.11 and 6.4.0. The fix includes sanitization of SVGs in the Icon component, as noted in the release notes for v6.4.0 [2]. Users are strongly advised to upgrade to these or later versions. No workarounds have been publicly documented, and the advisory recommends immediate patching [4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
statamic/cmsPackagist | < 5.73.11 | 5.73.11 |
statamic/cmsPackagist | >= 6.0.0-alpha.1, < 6.4.0 | 6.4.0 |
Affected products
2- statamic/cmsv5Range: < 5.73.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-5vrj-wf7v-5wr7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28426ghsaADVISORY
- github.com/statamic/cms/releases/tag/v5.73.11ghsax_refsource_MISCWEB
- github.com/statamic/cms/releases/tag/v6.4.0ghsax_refsource_MISCWEB
- github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.