CVE-2026-32612

MEDIUM

Statamic <6.6.2 - Stored XSS

Title source: llm

Description

Statamic is a Laravel and Git powered content management system (CMS). Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. This has been fixed in 6.6.2.

References (2)

[Exploit, Third Party Advisory] https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-32612

View Exploit ZIP pw:eip

[Vendor Advisory] https://github.com/statamic/cms/security/advisories/GHSA-hcch-w73c-jp4m

Scores

CVSS v3 5.4

EPSS 0.0001

EPSS Percentile 2.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (3)

statamic/cms 6.0.0 - 6.6.2Packagist

statamic/cms >= 6.0.0, < 6.6.2

statamic/statamic 6.0.0 - 6.6.2

Published Mar 13, 2026

Tracked Since Mar 14, 2026