Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
Statamic: Malicious Code Can Run When Users View Certain Fields
CVE-2026-27196
GHSA-8r7r-f4gm-wcpq
Summary
A security issue in Statamic allows authenticated users with field management permissions to inject malicious code that can harm others. This can happen when certain users view specific fields in the system. Statamic has released patches to fix this issue in versions 6.3.2 and 5.73.9, so update to one of these versions as soon as possible.
What to do
- Update statamic cms to version 6.3.2.
- Update statamic cms to version 5.73.9.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| statamic | cms | > 6.0.0-alpha.1 , <= 6.3.2 | 6.3.2 |
| statamic | cms | <= 5.73.9 | 5.73.9 |
Original title
Statamic affected by privilege escalation via stored cross-site scripting
Original description
## Impact
Stored XSS vulnerability in `html` fieldtypes allow authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.
## Patches
This has been fixed in 6.3.2 and 5.73.9.
Stored XSS vulnerability in `html` fieldtypes allow authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.
## Patches
This has been fixed in 6.3.2 and 5.73.9.
nvd CVSS3.1
8.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq
- https://nvd.nist.gov/vuln/detail/CVE-2026-27196
- https://github.com/advisories/GHSA-8r7r-f4gm-wcpq
- https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b
- https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3
Published: 19 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026