CVE-2026-28425

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.11 and prior to 6.4.0

Description Statamic is a Laravel and Git powered content management system (CMS). An authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. This could lead to a full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is possible where Antlers runs on user-controlled content, such as content fields with Antlers explicitly enabled, built-in configuration supporting Antlers like Forms email notification settings, or third-party addons adding Antlers-enabled fields. The attacker must have the relevant control panel permissions.

Recommendations Versions prior to 5.73.11 should be updated to version 5.73.11 or later. Versions prior to 6.4.0 should be updated to version 6.4.0 or later. If using addons that depend on Statamic, ensure a patched Statamic version is running after updating the addons.