Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Statamic: Authenticated Users Can Steal or Modify Data
CVE-2026-28426
GHSA-5vrj-wf7v-5wr7
Summary
Authenticated users with permission can inject malicious code that executes when viewed by other users with higher permissions, potentially allowing them to steal or modify sensitive data. Affected versions of Statamic need to be updated to 5.73.11 or 6.4.0 to fix this issue. Update your software as soon as possible to prevent potential data compromise.
What to do
- Update statamic cms to version 5.73.11.
- Update statamic cms to version 6.4.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| statamic | cms | <= 5.73.11 | 5.73.11 |
| statamic | cms | > 6.0.0-alpha.1 , <= 6.4.0 | 6.4.0 |
| statamic | statamic | <= 5.73.11 | – |
| statamic | statamic | > 6.0.0 , <= 6.4.0 | – |
Original title
Statamic vulnerable to privilege escalation via stored cross-site scripting
Original description
### Impact
Stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.
### Patches
This has been fixed in 5.73.11 and 6.4.0.
Stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.
### Patches
This has been fixed in 5.73.11 and 6.4.0.
nvd CVSS3.1
5.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://nvd.nist.gov/vuln/detail/CVE-2026-28426
- https://github.com/advisories/GHSA-5vrj-wf7v-5wr7
- https://github.com/statamic/cms/releases/tag/v5.73.11 Release Notes
- https://github.com/statamic/cms/releases/tag/v6.4.0 Release Notes
- https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7 Patch Vendor Advisory
Published: 1 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026