CVE-2026-27196

Name of the Vulnerable Software and Affected Versions Statamic versions 5.73.8 and below, and 6.0.0-alpha.1 through 6.3.1

Description Statamic, a Laravel and Git powered content management system (CMS), is affected by a Stored Cross-Site Scripting (XSS) issue in the html fieldtypes. This flaw allows authenticated users with field management permissions to inject malicious JavaScript code into content fields. When higher-privileged users view the affected content, the malicious script executes in their browsers, potentially leading to session hijacking or credential theft. The vulnerability allows for potential privilege escalation.

Recommendations Versions prior to 6.3.2 are vulnerable. Versions prior to 5.73.9 are vulnerable.