DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-28426: Chain Reaction: Stored XSS and Antlers Template Injection in Statamic Control Panel

#security #cve #cybersecurity

Chain Reaction: Stored XSS and Antlers Template Injection in Statamic Control Panel

Vulnerability ID: CVE-2026-28426
CVSS Score: 8.7
Published: 2026-03-01

A critical Stored Cross-Site Scripting (XSS) vulnerability has been identified in Statamic CMS, affecting the Control Panel's handling of Scalable Vector Graphics (SVGs), PDF embedding, and the Antlers template engine. By leveraging insufficient sanitization of user-supplied assets and overly permissive template evaluation contexts, authenticated attackers with limited privileges (such as Authors or Editors) can inject malicious payloads. These payloads execute arbitrary JavaScript in the browser of high-privileged users (Administrators) upon viewing the compromised content, leading to potential account takeover and privilege escalation.

TL;DR

Critical Stored XSS in Statamic CMS (< 5.73.11, < 6.4.0) allows authenticated users to execute JavaScript via malicious SVGs and Antlers template injection in the Control Panel. Patch immediately.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS v3.1: 8.7 (High)
  • EPSS Score: 0.025%
  • Impact: Privilege Escalation / Admin ATO
  • Exploit Status: PoC Available
  • KEV Status: Not Listed

Affected Systems

  • Statamic CMS 5.x < 5.73.11
  • Statamic CMS 6.x < 6.4.0
  • Statamic CMS: < 5.73.11 (Fixed in: 5.73.11)
  • Statamic CMS: >= 6.0.0, < 6.4.0 (Fixed in: 6.4.0)

Code Analysis

Commit: 97bbbec

Introduced isEvaluatingUserData flag to sandbox Antlers engine

Commit: 01ca084

Replaced config()->all() with whitelisted Cascade::config()

Commit: 259c585

Replaced PDF embed with Canvas-based rendering

Exploit Details

  • GitHub Advisory: Official advisory containing vector descriptions and PoC concepts.

Mitigation Strategies

  • Upgrade Statamic CMS to the latest stable release.
  • Implement strict Content Security Policy (CSP) headers.
  • Restrict 'Author' and 'Editor' permissions regarding asset uploads.
  • Disable SVG uploads in asset container configurations if not strictly necessary.

Remediation Steps:

  1. Backup the current Statamic project and database.
  2. Modify composer.json to require statamic/cms:^5.73.11 or ^6.4.0.
  3. Run composer update statamic/cms --with-dependencies.
  4. Run php artisan statamic:stache:clear and php artisan view:clear to flush caches.
  5. Verify the update by checking the version in the Control Panel footer.

References

Read the full report for CVE-2026-28426 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)