Executive Summary

CVE-2026-32612 is a stored cross-site scripting (XSS) vulnerability in the Statamic CMS Control Panel preference handling. It allows an authenticated low-privileged user to inject malicious JavaScript code into their color mode preference. This malicious code is stored without validation and later rendered unsafely as inline JavaScript in the Control Panel.

When a higher-privileged user, such as an administrator, impersonates the attacker’s account, the injected JavaScript executes in the administrator’s browser context. This happens because the preference value is output using Blade templating without proper encoding, allowing the attacker to break out of the intended string context and run arbitrary scripts.

The vulnerability arises from unsafe rendering of user-controlled data and lack of validation when storing preferences. It was fixed in Statamic version 6.6.2 by implementing strict allowlist validation and safe JSON encoding of preference values.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to arbitrary JavaScript execution in the browser of a higher-privileged user, such as an administrator, when they impersonate a low-privileged user who has injected malicious code.

• Execution of attacker-controlled scripts in admin sessions.
• Potential forgery of administrative actions due to script execution in the admin context.
• Privilege escalation within the browser context, allowing attackers to perform actions with elevated rights.

No direct server-side compromise was identified, but the impact on client-side security and administrative control is significant.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the `/cp/preferences/js` endpoint where user preferences are stored without validation.'}, {'type': 'paragraph', 'content': 'Specifically, you can look for unusual or suspicious values in the `color_mode` preference that may contain JavaScript injection payloads.'}, {'type': 'paragraph', 'content': 'For detection on the system, you can inspect stored user preferences in the database or configuration files for unexpected JavaScript code or characters that break out of string contexts.'}, {'type': 'paragraph', 'content': 'Example commands to detect suspicious POST requests in web server logs (assuming Apache logs):'}, {'type': 'list_item', 'content': 'grep "/cp/preferences/js" /var/log/apache2/access.log | grep -i "color_mode"'}, {'type': 'list_item', 'content': 'grep -E "color_mode.*[\\\'\\"\\;\\/]" /var/log/apache2/access.log'}, {'type': 'paragraph', 'content': 'Additionally, you can use web application security scanners or custom scripts to detect stored XSS payloads in user preferences.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Statamic CMS to version 6.6.2 or later, where this vulnerability has been fixed.

The fix includes strict allowlist validation of preference values and safe output encoding using JSON encoding to prevent injection.

Until the upgrade is applied, restrict control panel access to trusted users only and avoid impersonating lower-privileged users in the control panel.

Review and sanitize existing user preferences, especially the `color_mode` preference, to remove any injected JavaScript code.

Monitor administrative sessions for suspicious behavior that could indicate exploitation of this vulnerability.

Useful 0 Not Useful 0