Statamic: privilege escalation via stored cross-site scripting
Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. This has been fixed in 6.6.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Statamic CMS control panel color mode preference lets low-privileged users execute JavaScript when a higher-privileged admin impersonates their account; fixed in 6.6.2.
Vulnerability
CVE-2026-32612 is a stored cross-site scripting (XSS) in Statamic CMS prior to 6.6.2, specifically in the control panel's color mode preference mechanism. The root cause is that user-controlled preference data is stored without validation or encoding and later rendered unsafely into inline JavaScript using Blade output (e.g., {!! $userMode !!}), allowing an attacker to break out of the string context [1][2].
Exploitation
The attack requires an authenticated user with control panel access (low privileges). The attacker sets a malicious value for the color_mode preference. Exploitation occurs when a higher-privileged administrator uses Statamic's built-in user impersonation feature to view the attacker's account; the stored payload executes in the admin's browser session [2][4]. User interaction from the admin (the impersonation action) is required.
Impact
Successful exploitation allows arbitrary JavaScript execution in the context of the administrator's session. This can lead to privilege escalation, as the attacker-controlled script can perform actions on behalf of the admin, such as modifying site content, accessing sensitive data, or creating new privileged accounts [2][4].
Mitigation
The vendor has fixed this vulnerability in Statamic CMS version 6.6.2. Users should upgrade to that version or later. No workarounds are publicly detailed [1][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
statamic/cmsPackagist | >= 6.0.0, < 6.6.2 | 6.6.2 |
Affected products
2- statamic/cmsv5Range: >= 6.0.0, < 6.6.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-hcch-w73c-jp4mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32612ghsaADVISORY
- github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-32612ghsax_refsource_MISCWEB
- github.com/statamic/cms/security/advisories/GHSA-hcch-w73c-jp4mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.