CVE-2026-33172

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0.

CVSS v3 8.7 HIGH

8.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.3 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:statamic:statamic::::::::
	cpe:2.3:a:statamic:statamic::::::::

History

No history.

Information

Published : 2026-03-20 22:16

Updated : 2026-03-23 18:46

NVD link : CVE-2026-33172

Mitre link : CVE-2026-33172

CVE.ORG link : CVE-2026-33172

JSON object : View

Products Affected

statamic

statamic

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-33172", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.3}]}, "published": "2026-03-20T22:16:28.973", "references": [{"url": "https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0."}, {"lang": "es", "value": "Statamic es un sistema de gesti\u00f3n de contenido (CMS) impulsado por Laravel y Git. Antes de las versiones 5.73.14 y 6.7.0, una vulnerabilidad de XSS almacenado en las recargas de activos SVG permite a usuarios autenticados con permisos de carga de activos eludir la sanitizaci\u00f3n de SVG e inyectar JavaScript malicioso que se ejecuta cuando se visualiza el activo. Esto ha sido corregido en 5.73.14 y 6.7.0."}], "lastModified": "2026-03-23T18:46:04.647", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "23CF5975-D5BE-4138-AE2F-95F7BBE00F20", "versionEndExcluding": "5.73.14"}, {"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B99B257-0FC1-4CF9-B006-8AEC17235BC8", "versionEndExcluding": "6.7.0", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}