Statamic has Stored XSS via SVG Sanitization Bypass
Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Statamic via SVG re-upload bypasses sanitization, letting authenticated users inject persistent JavaScript.
Vulnerability
Overview
Statamic, a Laravel and Git powered CMS, is susceptible to a stored cross-site scripting (XSS) vulnerability in its SVG asset re-upload functionality [1]. The root cause is a bypass of the SVG sanitization process: when an authenticated user re-uploads an SVG file, the sanitization check is not properly applied, allowing the file to contain arbitrary JavaScript [1][3].
Exploitation
Prerequisites
An attacker must have valid authentication and possess the 'upload assets' permission within the Statamic control panel [1]. The attack is performed by uploading a specially crafted SVG file that includes malicious JavaScript. Because the sanitization is bypassed on re-upload, the malicous content is stored server-side. No additional user interaction is required for the stored payload to execute when the asset is subsequently viewed in a browser [1][3].
Impact
Successful exploitation leads to persistent JavaScript execution in the context of any user who views the affected SVG asset [1]. This can result in data theft (e.g., session cookies, CSRF tokens), unauthorized actions on behalf of the victim, or defacement. According to the advisory, the attack complexity is high, but the potential impact on confidentiality and integrity is significant due to the stored nature of the payload [3].
Mitigation
The vulnerability has been addressed in Statamic versions 5.73.14 and 6.7.0 [1]. Users running earlier versions are advised to upgrade immediately. No workarounds have been published, and the vendor has not indicated whether the issue is listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
statamic/cmsPackagist | >= 6.0.0-alpha.1, < 6.7.0 | 6.7.0 |
statamic/cmsPackagist | < 5.73.14 | 5.73.14 |
Affected products
2- statamic/cmsv5Range: >= 6.0.0-alpha.1, < 6.7.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-7rcv-55mj-chg7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33172ghsaADVISORY
- github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.