CVE-2026-27196
Received Received - Intake
Stored XSS in Statamic HTML Fields Allows Privilege Escalation

Publication date: 2026-02-21

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This issue has been fixed in 6.3.2 and 5.73.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-21
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-02-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27196
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
statamic statamic to 5.73.9 (exc)
statamic statamic From 6.0.0 (inc) to 6.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Statamic content management system (CMS), specifically affecting the HTML fieldtypes. Authenticated users who have permissions to manage fields can inject malicious JavaScript code into the HTML content. When higher-privileged users view this content, the malicious script executes in their browsers, potentially compromising their accounts or data.

The vulnerability exists in Statamic versions 5.73.8 and below, as well as versions 6.0.0-alpha.1 through 6.3.1. It has been fixed in versions 6.3.2 and 5.73.9 by introducing HTML sanitization using the DOMPurify library, which cleanses the HTML content before rendering it.

Impact Analysis

This vulnerability can allow attackers with field management permissions to inject malicious JavaScript code that executes in the browsers of higher-privileged users. This can lead to unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the victim user.

Because the attack is stored, the malicious code persists in the system and triggers whenever the affected content is viewed, increasing the risk and potential impact.

The vulnerability has a high severity score (CVSS 8.1) indicating significant confidentiality and integrity impacts, though it does not affect availability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the Stored XSS vulnerability in Statamic CMS versions 5.73.8 and below and 6.0.0-alpha.1 through 6.3.1, you should upgrade to version 6.3.2 or 5.73.9 where the issue is fixed.

The fix involves sanitizing HTML content in the HTML fieldtype using the DOMPurify library to prevent malicious JavaScript injection.

Ensure that the HTML fieldtype configuration has sanitization enabled (which is the default setting) to automatically cleanse HTML input before rendering.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27196. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart