DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-28425: Statamic CMS Antlers Template Engine Remote Code Execution

#security #cve #cybersecurity

Statamic CMS Antlers Template Engine Remote Code Execution

Vulnerability ID: CVE-2026-28425
CVSS Score: 8.0
Published: 2026-03-01

A critical Remote Code Execution (RCE) vulnerability has been identified in the Antlers template engine of Statamic CMS. The vulnerability arises from improper isolation of user-supplied content during template rendering, allowing authenticated users with low privileges to execute arbitrary PHP code. This flaw affects the Control Panel's handling of specific fields and configuration settings, effectively bridging the gap between content editing and server-side execution.

TL;DR

CVE-2026-28425 allows authenticated Statamic users to execute arbitrary code via malicious Antlers template syntax. The flaw exists because the template engine previously failed to distinguish between trusted developer code and untrusted user input, exposing sensitive PHP functions and configuration data. Patches are available in versions 5.73.11 and 6.4.0.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-94 (Code Injection)
  • CVSS Score: 8.0 (High)
  • Attack Vector: Network (Authenticated)
  • Impact: Remote Code Execution (RCE)
  • EPSS Score: 0.00138
  • Exploit Status: Proof-of-Concept Available

Affected Systems

  • Statamic CMS 5.x < 5.73.11
  • Statamic CMS 6.x < 6.4.0
  • Statamic CMS: < 5.73.11 (Fixed in: 5.73.11)
  • Statamic CMS: >= 6.0.0, < 6.4.0 (Fixed in: 6.4.0)

Mitigation Strategies

  • Update Statamic to the latest patched version immediately.
  • Audit Control Panel user accounts and restrict permissions for untrusted users.
  • Disable Antlers parsing on user-editable fields where it is not strictly necessary.

Remediation Steps:

  1. For Statamic v5.x: Update to version 5.73.11 or later.
  2. For Statamic v6.x: Update to version 6.4.0 or later.
  3. Run composer update statamic/cms in your project root.
  4. Verify the update by checking composer show statamic/cms.
  5. Review application logs for warnings such as 'Method call evaluated in user content' to identify potential attempted exploits or legitimate features broken by the new sandbox.

References

Read the full report for CVE-2026-28425 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)