Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7
Scores
CVSS v3
8.7
EPSS
0.0032
EPSS Percentile
24.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (4)
statamic/cms
6.0.0-alpha.1 - 6.7.0Packagist
statamic/cms
< 5.73.14
statamic/cms
>= 6.0.0-alpha.1, < 6.7.0
statamic/statamic
< 5.73.14
Published
Mar 20, 2026
Tracked Since
Mar 21, 2026