Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
Statamic: Attacker Can Take Control of Admin Accounts via JavaScript
GHSA-hcch-w73c-jp4m
CVE-2026-32612
GHSA-hcch-w73c-jp4m
Summary
An attacker can inject malicious code that takes control of an admin account when another admin logs in, potentially leading to unauthorized changes. This affects Statamic control panel users with admin access. Update to the latest version (6.6.2 or later) to fix this issue.
What to do
- Update statamic cms to version 6.6.2.
- Update statamic statamic/cms to version 6.6.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| statamic | cms | > 6.0.0 , <= 6.6.2 | 6.6.2 |
| statamic | statamic/cms | > 6.0.0 , <= 6.6.2 | 6.6.2 |
Original title
Statamic vulnerable to privilege escalation via stored cross-site scripting
Original description
### Impact
Stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account.
### Patches
This has been fixed in 6.6.2.
Stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account.
### Patches
This has been fixed in 6.6.2.
ghsa CVSS3.1
5.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026