CVE

CVE-2026-27196

Statamic affected by privilege escalation via stored Cross-site Scripting

CVE

CVE-2026-27196

Statamic affected by privilege escalation via stored Cross-site Scripting

Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This issue has been fixed in 6.3.2 and 5.73.9.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

8.1

3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27196.json, https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq, https://nvd.nist.gov/vuln/detail/CVE-2026-27196, https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b, https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3

Severity

8.1

CVSS Score

Basic Information

Ecosystem

Base CVSS

8.1

EPSS Probability

0.00014%

EPSS Percentile

0.02678%

Introduced Version

1025dbc537fdb606c73209ab54d865b345d241d4,0

Fix Available

580697d3fb583ed2386d17eab54faff9686c09f4,1171faaf2ffd6abfca2befd51814f99b7e057dc2

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2026-27196

CVE-2026-27196

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

8.1

Basic Information

Fix Critical Vulnerabilities Instantly