Remote Code Execution in Statamic CMS Prior to Latest Versions
CVE-2026-28425

8HIGH

Key Information:

Vendor

Statamic

Status
Cms
Vendor
CVE Published:
27 February 2026

What is CVE-2026-28425?

Statamic CMS, a platform built on Laravel and Git, contains a remote code execution vulnerability that can impact authenticated control panel users with access to Antlers-enabled inputs. This issue allows attackers to leverage user-controlled content to execute arbitrary code within the application, which could result in complete application compromise. Sensitive configuration settings, data modification, or data theft may occur as a consequence. It is critical to ensure that users updating their Statamic installations to versions 5.73.11 or 6.4.0 confirm they are using the patched versions, especially if they rely on third-party addons that enable Antlers functionality.

Affected Version(s)

cms < 5.73.16 < 5.73.16

cms >= 6.0.0, < 6.7.2 < 6.0.0, 6.7.2

References

https://github.com/statamic/cms/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/statamic/cms/releases/tag/v5.73.11
x_refsource_MISC
https://github.com/statamic/cms/releases/tag/v6.4.0
x_refsource_MISC

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.