High severityNVD Advisory· Published Feb 27, 2026· Updated Mar 2, 2026
Statamic vulnerable to privilege escalation via stored cross-site scripting
CVE-2026-28426
Description
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
statamic/cmsPackagist | < 5.73.11 | 5.73.11 |
statamic/cmsPackagist | >= 6.0.0-alpha.1, < 6.4.0 | 6.4.0 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-5vrj-wf7v-5wr7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28426ghsaADVISORY
- github.com/statamic/cms/releases/tag/v5.73.11ghsax_refsource_MISCWEB
- github.com/statamic/cms/releases/tag/v6.4.0ghsax_refsource_MISCWEB
- github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.