{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28426", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T15:54:05.137Z", "datePublished": "2026-02-27T22:23:42.660Z", "dateUpdated": "2026-03-02T19:39:23.113Z"}, "containers": {"cna": {"title": "Statamic vulnerable to privilege escalation via stored cross-site scripting", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7"}, {"name": "https://github.com/statamic/cms/releases/tag/v5.73.11", "tags": ["x_refsource_MISC"], "url": "https://github.com/statamic/cms/releases/tag/v5.73.11"}, {"name": "https://github.com/statamic/cms/releases/tag/v6.4.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/statamic/cms/releases/tag/v6.4.0"}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"version": "< 5.73.11", "status": "affected"}, {"version": ">= 6.0.0, < 6.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T22:23:42.660Z"}, "descriptions": [{"lang": "en", "value": "Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0."}], "source": {"advisory": "GHSA-5vrj-wf7v-5wr7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T19:38:52.314921Z", "id": "CVE-2026-28426", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T19:39:23.113Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28426", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-02T19:38:52.314921Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T19:38:58.424Z"}}], "cna": {"title": "Statamic vulnerable to privilege escalation via stored cross-site scripting", "source": {"advisory": "GHSA-5vrj-wf7v-5wr7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"status": "affected", "version": "< 5.73.11"}, {"status": "affected", "version": ">= 6.0.0, < 6.4.0"}]}], "references": [{"url": "https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7", "name": "https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/statamic/cms/releases/tag/v5.73.11", "name": "https://github.com/statamic/cms/releases/tag/v5.73.11", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/statamic/cms/releases/tag/v6.4.0", "name": "https://github.com/statamic/cms/releases/tag/v6.4.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T22:23:42.660Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28426", "state": "PUBLISHED", "dateUpdated": "2026-03-02T19:39:23.113Z", "dateReserved": "2026-02-27T15:54:05.137Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-27T22:23:42.660Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "6AA21E74-C3F2-4275-8DEE-DF4DFBF43788", "versionEndExcluding": "5.73.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA6EDD8D-7679-4292-8F49-71B2B3ACEC87", "versionEndExcluding": "6.4.0", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0."}, {"lang": "es", "value": "Statmatic es un sistema de gesti\u00f3n de contenido (CMS) impulsado por Laravel y Git. Antes de las versiones 5.73.11 y 6.4.0, una vulnerabilidad de XSS almacenado en componentes relacionados con SVG e iconos permite a usuarios autenticados con los permisos adecuados inyectar JavaScript malicioso que se ejecuta cuando es visto por usuarios con mayores privilegios. Esto ha sido corregido en 5.73.11 y 6.4.0."}], "id": "CVE-2026-28426", "lastModified": "2026-03-05T14:32:00.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-27T23:16:05.780", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/statamic/cms/releases/tag/v5.73.11"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/statamic/cms/releases/tag/v6.4.0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.73.11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0,6.4.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "statamic"}, "product": "cms", "vendor": "statamic"}], "analysis": {"en": {"generated_at": "2026-04-16T15:06:42.948999+00:00", "value": {"mitigation_remediation": ["Apply the patch to Statamic CMS 5.73.11 or 6.4.0 as released", "Restrict access to SVG and icon upload functionalities to only trusted administrators if the patch cannot be applied immediately", "Remove or sanitize any SVG or icon entries that contain untrusted content until a patch is applied"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting leading to privilege escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Statamic CMS product from vendor statamic:cms. All versions older than 5.73.11 for the 5.x series and older than 6.4.0 for the 6.x series are vulnerable.", "description_and_impact": "Prior to versions 5.73.11 and 6.4.0, Statamic CMS allowed authenticated users with certain permissions to embed malicious JavaScript into SVG and icon components via a stored XSS flaw. When a higher\u2011privileged user later viewed the affected content, the injected script executed in the context of that privileged user, enabling the attacker to compromise data, hijack sessions, or gain administrative rights. The flaw is classified under CWE\u201179 and carries a CVSS 8.7 score, indicating high potential impact.", "risk_and_exploitability": "The exploitation requires an authenticated user with permissions to modify SVG or icon components, making the attack vector web\u2011based and limited to users with edit rights. Although the EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild, the high CVSS score and the fact that the flaw enables privilege escalation raise the overall risk. The vulnerability is not listed in the CISA KEV catalog, but remediation remains critical to prevent potential compromise of privileged accounts."}}}}, "created": "2026-03-02T12:04:28.381846+00:00", "updated": "2026-04-16T15:15:39.041086+00:00", "vendors": ["statamic", "statamic$PRODUCT$cms"]}