CVE-2026-28426

HIGH

Statmatic <5.73.11/6.4.0 - Stored XSS

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-28426. PoCs published by LTX-GOD.

AI-analyzed exploit summary This repository provides a detailed technical analysis of a stored XSS vulnerability in Statamic CMS, including specific code paths, file references, and step-by-step reproduction instructions. It does not contain functional exploit code but offers in-depth research on the vulnerability's root cause and exploitation method.

Description

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.

Exploits (1)

github WRITEUP 2 stars

by LTX-GOD · poc

https://github.com/LTX-GOD/Mycve/tree/main/cms1-CVE-2026-28426 .md

View Code ZIP pw:eip

This repository provides a detailed technical analysis of a stored XSS vulnerability in Statamic CMS, including specific code paths, file references, and step-by-step reproduction instructions. It does not contain functional exploit code but offers in-depth research on the vulnerability's root cause and exploitation method.

Classification

Writeup 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Statamic CMS (new version)

Auth required

Prerequisites: access to a vulnerable Statamic CMS instance · low-privileged attacker account with 'configure collections' permission · admin account to observe the XSS payload execution

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Mar 02, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7

Release Notes x_refsource_misc

https://github.com/statamic/cms/releases/tag/v5.73.11

Release Notes x_refsource_misc

https://github.com/statamic/cms/releases/tag/v6.4.0

Scores

CVSS v3 8.7

EPSS 0.0001

EPSS Percentile 2.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-79

Status published

Products (2)

statamic/cms 0 - 5.73.11Packagist

statamic/statamic < 5.73.11

Published Feb 27, 2026

Tracked Since Feb 28, 2026