{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27196", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-18T19:47:02.154Z", "datePublished": "2026-02-21T04:30:05.184Z", "dateUpdated": "2026-02-24T18:59:19.390Z"}, "containers": {"cna": {"title": "Statamic affected by privilege escalation via stored Cross-site Scripting", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq"}, {"name": "https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b", "tags": ["x_refsource_MISC"], "url": "https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b"}, {"name": "https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3", "tags": ["x_refsource_MISC"], "url": "https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3"}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"version": ">= 6.0.0-alpha.1, < 6.3.2", "status": "affected"}, {"version": "< 5.73.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-21T04:30:05.184Z"}, "descriptions": [{"lang": "en", "value": "Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This issue has been fixed in 6.3.2 and 5.73.9."}], "source": {"advisory": "GHSA-8r7r-f4gm-wcpq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T18:59:04.183613Z", "id": "CVE-2026-27196", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:59:19.390Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27196", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T18:59:04.183613Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:59:12.355Z"}}], "cna": {"title": "Statamic affected by privilege escalation via stored Cross-site Scripting", "source": {"advisory": "GHSA-8r7r-f4gm-wcpq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"status": "affected", "version": ">= 6.0.0-alpha.1, < 6.3.2"}, {"status": "affected", "version": "< 5.73.9"}]}], "references": [{"url": "https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq", "name": "https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b", "name": "https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3", "name": "https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This issue has been fixed in 6.3.2 and 5.73.9."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-21T04:30:05.184Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27196", "state": "PUBLISHED", "dateUpdated": "2026-02-24T18:59:19.390Z", "dateReserved": "2026-02-18T19:47:02.154Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-21T04:30:05.184Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "11EDC44A-794E-452B-8C5C-453E31AB7651", "versionEndExcluding": "5.73.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "67846240-56D0-4181-B6DC-D40B2D0D0BDC", "versionEndExcluding": "6.3.2", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This issue has been fixed in 6.3.2 and 5.73.9."}, {"lang": "es", "value": "Statmatic es un sistema de gesti\u00f3n de contenido (CMS) impulsado por Laravel y Git. Las versiones 5.73.8 e inferiores, adem\u00e1s de la 6.0.0-alpha.1 hasta la 6.3.1, tienen una vulnerabilidad de XSS Almacenado en los tipos de campo html que permite a usuarios autenticados con permisos de gesti\u00f3n de campos inyectar JavaScript malicioso que se ejecuta cuando es visto por usuarios con mayores privilegios. Este problema ha sido solucionado en 6.3.2 y 5.73.9."}], "id": "CVE-2026-27196", "lastModified": "2026-03-30T15:22:05.160", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-21T05:17:29.333", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0-alpha.1,6.3.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.73.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "statamic"}, "product": "cms", "vendor": "statamic"}], "analysis": {"en": {"generated_at": "2026-04-17T16:55:56.576574+00:00", "value": {"mitigation_remediation": ["Upgrade the Statamic installation to at least version 5.73.9 or 6.3.2 where the vulnerability is fixed.", "Restrict the ability to manage html fieldtypes to trusted users only, dropping field\u2011management permissions from accounts that do not need it.", "Audit and sanitize existing content for injected scripts, then remove or neutralize any discovered malicious code."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation via Stored XSS"}, "threat_synthesis": {"affected_systems": "The affected product is the Statamic content\u2011management system. Vulnerable releases include 5.73.8 and all prior 5.x versions, as well as every 6.x release up to and including 6.3.1. The flaw was addressed in 5.73.9 and 6.3.2.", "description_and_impact": "Statamic CMS versions 5.73.8 and earlier, and 6.0.0\u2011alpha.1 through 6.3.1, contain a stored cross\u2011site scripting flaw in html fieldtypes. Authenticated users who possess field\u2011management permissions can embed malicious JavaScript into content. When higher\u2011privileged users view the compromised content, the injected script runs with the victim\u2019s privileges, enabling actions such as session hijacking, data theft, or further system compromise.", "risk_and_exploitability": "The flaw is assigned a CVSS score of 8.1 and an EPSS score of less than 1\u202f%, indicating a high severity but a low probability of malicious exploitation at present. It is not listed in the CISA KEV catalog. Exploitation requires an authenticated account with field\u2011management permissions; the attacker injects the payload via the CMS UI. The payload then executes in the browser session of any higher\u2011privileged user who views the affected page, allowing the attacker to elevate privileges indirectly. Because the attack vector is access through normal CMS operations and the primary requirement is a legitimate account with certain permissions, the path to exploitation is limited but feasible for insiders or compromised accounts."}}}}, "created": "2026-02-23T14:32:48.930542+00:00", "updated": "2026-04-17T17:00:10.199162+00:00", "vendors": ["statamic", "statamic$PRODUCT$cms"]}