Stored XSS Vulnerability in Statamic CMS by Statamic
CVE-2026-33172

8.7HIGH

Key Information:

Vendor: Statamic
Status: Cms
Vendor: CVE Published:; 20 March 2026

What is CVE-2026-33172?

Statamic CMS, a content management system based on Laravel and Git, experienced a stored XSS vulnerability prior to versions 5.73.14 and 6.7.0. This flaw allows authenticated users with asset upload permissions to bypass the sanitization of uploaded SVG files. The lack of proper sanitization enables these users to inject malicious JavaScript into SVG assets, which subsequently executes when the asset is viewed. This issue has been addressed in the latest versions of Statamic, underscoring the importance of keeping CMS platforms updated to mitigate potential security risks.

Affected Version(s)

cms >= 6.0.0-alpha.1, < 6.7.0 < 6.0.0-alpha.1, 6.7.0

cms < 5.73.14 < 5.73.14

References

https://github.com/statamic/cms/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33172 Data

JSON