CVE-2026-28425

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.11 and 6.4.0. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/statamic/cms/releases/tag/v5.73.11	Release Notes
https://github.com/statamic/cms/releases/tag/v6.4.0	Release Notes
https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:statamic:statamic::::::::
	cpe:2.3:a:statamic:statamic::::::::

History

05 Mar 2026, 14:32

Type	Values Removed	Values Added
References	~~() https://github.com/statamic/cms/releases/tag/v5.73.11 -~~	() https://github.com/statamic/cms/releases/tag/v5.73.11 - Release Notes
References	~~() https://github.com/statamic/cms/releases/tag/v6.4.0 -~~	() https://github.com/statamic/cms/releases/tag/v6.4.0 - Release Notes
References	~~() https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw -~~	() https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw - Patch, Vendor Advisory
Summary		(es) Statmatic es un sistema de gestión de contenido (CMS) impulsado por Laravel y Git. Antes de las versiones 5.73.11 y 6.4.0, un usuario autenticado del panel de control con acceso a entradas habilitadas para Antlers podría lograr ejecución remota de código en el contexto de la aplicación. Eso puede llevar a un compromiso total de la aplicación, incluyendo acceso a configuración sensible, modificación o exfiltración de datos, y potencial impacto en la disponibilidad. La explotación solo es posible donde Antlers se ejecuta en contenido controlado por el usuario—por ejemplo, campos de contenido con Antlers explícitamente habilitado (requiriendo permiso para configurar campos y editar entradas), configuración incorporada que soporta Antlers como la configuración de notificación por correo electrónico de Formularios (requiriendo permiso de configuración), o complementos de terceros que añaden campos habilitados para Antlers a las entradas (por ejemplo, el complemento SEO Pro). En cada caso, el atacante debe tener los permisos relevantes del panel de control. Esto ha sido corregido en 5.73.11 y 6.4.0. Los usuarios de complementos que dependen de Statamic deben asegurarse de que después de actualizar están ejecutando una versión de Statamic parcheada.
CPE		cpe:2.3:a:statamic:statamic::::::::
First Time		Statamic statamic Statamic

27 Feb 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-27 23:16

Updated : 2026-03-05 14:32

NVD link : CVE-2026-28425

Mitre link : CVE-2026-28425

CVE.ORG link : CVE-2026-28425

JSON object : View

Products Affected

statamic

statamic

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

8.0 /10