CVE-2026-32612
Received Received - Intake

Stored XSS in Statamic Control Panel Enables Privilege Escalation

Vulnerability report for CVE-2026-32612, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-13

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description

Statamic is a Laravel and Git powered content management system (CMS). Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. This has been fixed in 6.6.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-13
Last Modified
2026-03-19
Generated
2026-07-06
AI Q&A
2026-03-13
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
statamic statamic From 6.0.0 (inc) to 6.6.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-32612 is a stored cross-site scripting (XSS) vulnerability in the Statamic CMS Control Panel preference handling. It allows an authenticated low-privileged user to inject malicious JavaScript code into their color mode preference. This malicious code is stored without validation and later rendered unsafely as inline JavaScript in the Control Panel.

When a higher-privileged user, such as an administrator, impersonates the attacker’s account, the injected JavaScript executes in the administrator’s browser context. This happens because the preference value is output using Blade templating without proper encoding, allowing the attacker to break out of the intended string context and run arbitrary scripts.

The vulnerability arises from unsafe rendering of user-controlled data and lack of validation when storing preferences. It was fixed in Statamic version 6.6.2 by implementing strict allowlist validation and safe JSON encoding of preference values.

Impact Analysis

This vulnerability can lead to arbitrary JavaScript execution in the browser of a higher-privileged user, such as an administrator, when they impersonate a low-privileged user who has injected malicious code.

  • Execution of attacker-controlled scripts in admin sessions.
  • Potential forgery of administrative actions due to script execution in the admin context.
  • Privilege escalation within the browser context, allowing attackers to perform actions with elevated rights.

No direct server-side compromise was identified, but the impact on client-side security and administrative control is significant.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the `/cp/preferences/js` endpoint where user preferences are stored without validation.'}, {'type': 'paragraph', 'content': 'Specifically, you can look for unusual or suspicious values in the `color_mode` preference that may contain JavaScript injection payloads.'}, {'type': 'paragraph', 'content': 'For detection on the system, you can inspect stored user preferences in the database or configuration files for unexpected JavaScript code or characters that break out of string contexts.'}, {'type': 'paragraph', 'content': 'Example commands to detect suspicious POST requests in web server logs (assuming Apache logs):'}, {'type': 'list_item', 'content': 'grep "/cp/preferences/js" /var/log/apache2/access.log | grep -i "color_mode"'}, {'type': 'list_item', 'content': 'grep -E "color_mode.*[\\\'\\"\\;\\/]" /var/log/apache2/access.log'}, {'type': 'paragraph', 'content': 'Additionally, you can use web application security scanners or custom scripts to detect stored XSS payloads in user preferences.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Statamic CMS to version 6.6.2 or later, where this vulnerability has been fixed.

The fix includes strict allowlist validation of preference values and safe output encoding using JSON encoding to prevent injection.

Until the upgrade is applied, restrict control panel access to trusted users only and avoid impersonating lower-privileged users in the control panel.

Review and sanitize existing user preferences, especially the `color_mode` preference, to remove any injected JavaScript code.

Monitor administrative sessions for suspicious behavior that could indicate exploitation of this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32612. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart