CVE-2026-33172

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0.

CVSS v3 8.7 HIGH

8.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.3 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:statamic:statamic::::::::
	cpe:2.3:a:statamic:statamic::::::::

History

17 Jun 2026, 10:37

Type	Values Removed	Values Added
Summary		(es) Statamic es un sistema de gestión de contenido (CMS) impulsado por Laravel y Git. Antes de las versiones 5.73.14 y 6.7.0, una vulnerabilidad de XSS almacenado en las recargas de activos SVG permite a usuarios autenticados con permisos de carga de activos eludir la sanitización de SVG e inyectar JavaScript malicioso que se ejecuta cuando se visualiza el activo. Esto ha sido corregido en 5.73.14 y 6.7.0.

23 Mar 2026, 18:46

Type	Values Removed	Values Added
First Time		Statamic statamic Statamic
CPE		cpe:2.3:a:statamic:statamic::::::::
References	~~() https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7 -~~	() https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7 - Vendor Advisory

20 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 22:16

Updated : 2026-06-17 10:37

NVD link : CVE-2026-33172

Mitre link : CVE-2026-33172

CVE.ORG link : CVE-2026-33172

JSON object : View

Products Affected

statamic

statamic

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-33172", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-33172", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T13:46:09.184212Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.3}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "statamic", "product": "cms", "versions": [{"status": "affected", "version": ">= 6.0.0-alpha.1, < 6.7.0"}, {"status": "affected", "version": "< 5.73.14"}]}]}], "published": "2026-03-20T22:16:28.973", "references": [{"url": "https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0."}, {"lang": "es", "value": "Statamic es un sistema de gesti\u00f3n de contenido (CMS) impulsado por Laravel y Git. Antes de las versiones 5.73.14 y 6.7.0, una vulnerabilidad de XSS almacenado en las recargas de activos SVG permite a usuarios autenticados con permisos de carga de activos eludir la sanitizaci\u00f3n de SVG e inyectar JavaScript malicioso que se ejecuta cuando se visualiza el activo. Esto ha sido corregido en 5.73.14 y 6.7.0."}], "lastModified": "2026-06-17T10:37:04.573", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "23CF5975-D5BE-4138-AE2F-95F7BBE00F20", "versionEndExcluding": "5.73.14"}, {"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B99B257-0FC1-4CF9-B006-8AEC17235BC8", "versionEndExcluding": "6.7.0", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}