PT-2026-26204 · Statamic · Statamic
Filipegaudard
·
Published
2026-03-18
·
Updated
2026-03-21
·
CVE-2026-33172
CVSS v3.1
8.7
High
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Statamic versions prior to 5.73.14
Statamic versions prior to 6.7.0
Description
Statamic is a Laravel and Git powered content management system (CMS). A stored cross-site scripting (XSS) issue exists in SVG asset reuploads. Authenticated users with asset upload permissions can bypass SVG sanitization and inject malicious JavaScript. This JavaScript executes when the asset is viewed.
Recommendations
Update to Statamic version 5.73.14.
Update to Statamic version 6.7.0.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Statamic