CVE-2026-28425
Remote Code Execution in Statamic CMS via Antlers Inputs
Publication date: 2026-02-27
Last updated on: 2026-03-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| statamic | statamic | to 5.73.11 (exc) |
| statamic | statamic | From 6.0.0 (inc) to 6.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Statamic, a Laravel and Git powered content management system (CMS). Before versions 5.73.11 and 6.4.0, an authenticated control panel user with access to Antlers-enabled inputs could potentially execute remote code within the application context.
Exploitation requires that Antlers runs on user-controlled content, such as content fields with Antlers explicitly enabled, built-in configurations supporting Antlers like Forms email notification settings, or third-party addons that add Antlers-enabled fields. The attacker must have the relevant control panel permissions to configure fields and edit entries.
This vulnerability allows an attacker to fully compromise the application, including accessing sensitive configuration, modifying or exfiltrating data, and potentially impacting the availability of the application.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to a full compromise of the Statamic application.
- Access to sensitive configuration information.
- Modification or exfiltration of data.
- Potential impact on the availability of the application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update Statamic to version 5.73.11 or 6.4.0 or later, where the issue has been fixed.
Ensure that only trusted authenticated control panel users have permissions to configure fields and edit entries, especially those with Antlers-enabled inputs.
Review and restrict permissions related to configuring Antlers-enabled content fields, Forms email notification settings, and third-party addons that use Antlers-enabled fields.
Users of addons that depend on Statamic should verify that after updating, they are running a patched Statamic version.