Skip to main content

Statamic CVE-2026-32612

| EUVDEUVD-2026-11732 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-13 security-advisories@github.com GHSA-hcch-w73c-jp4m
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 20:00 euvd
EUVD-2026-11732
Analysis Generated
Mar 13, 2026 - 20:00 vuln.today
CVE Published
Mar 13, 2026 - 19:55 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

Statamic is a Laravel and Git powered content management system (CMS). Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. This has been fixed in 6.6.2.

AnalysisAI

Statamic CMS versions prior to 6.6.2 contain a stored cross-site scripting (XSS) vulnerability in the control panel color mode preference functionality that allows authenticated users to inject malicious JavaScript code. When a higher-privileged administrator impersonates or accesses the account of an authenticated user who has injected malicious code, the JavaScript executes in the administrator's browser session with their elevated privileges. This vulnerability is network-accessible and requires low privileges but user interaction from the victim, resulting in a CVSS score of 5.4 with potential for session hijacking, data theft, or further privilege escalation depending on the administrator's role and permissions.

Technical ContextAI

Statamic is a Laravel-based content management system (CMS) that integrates Git for version control and provides a web-based control panel for content management. The vulnerability exists in how user preferences, specifically the color mode setting, are stored and rendered without proper output encoding or content security policy enforcement. This falls under CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic stored XSS vulnerability where user-controlled input is persisted in a database and later rendered in HTML context without sanitization. The attack vector targets the control panel authentication mechanism, meaning the attacker must first obtain valid credentials to access the control panel. The vulnerability is specific to the preference storage mechanism and affects the CPE designation for Statamic prior to version 6.6.2 (cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:* with versions before 6.6.2).

RemediationAI

Immediately upgrade Statamic to version 6.6.2 or later, which contains the fix for the stored XSS vulnerability in the color mode preference setting. This patch properly sanitizes and encodes user input in the preference storage and rendering mechanisms. Organizations unable to patch immediately should implement the following compensating controls: restrict control panel access to a minimal set of trusted administrators using network-level access controls (IP whitelisting via reverse proxy or firewall), enforce strong multi-factor authentication for all control panel accounts to prevent credential compromise, regularly audit control panel login logs and preference changes for suspicious activity, and implement Content Security Policy (CSP) headers with strict directives to limit JavaScript execution. Additionally, disable account impersonation features in the control panel settings if they are not essential to operations, or implement mandatory re-authentication for impersonation actions. Monitor for any suspicious modifications to user preferences across all accounts and consider resetting preferences for all users after patching to clear any potential injection payloads.

Share

CVE-2026-32612 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy