SVG CVE-2026-33172
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
Stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed.
Patches
This has been fixed in 5.73.14 and 6.7.0.
AnalysisAI
A stored cross-site scripting (XSS) vulnerability in Statamic CMS allows authenticated users with asset upload permissions to bypass SVG sanitization during asset reuploads, enabling injection of malicious JavaScript that executes when other users view the compromised asset. The vulnerability affects Statamic CMS versions prior to 5.73.14 and 6.7.0, with patches available in those releases. The CVSS score of 8.7 (High) reflects the changed scope and high confidentiality/integrity impact, though exploitation requires low-privileged authenticated access and user interaction.
Technical ContextAI
This vulnerability affects the Statamic CMS content management system, distributed as a Composer package (pkg:composer/statamic_cms). The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a stored XSS variant. The vulnerability emerges from insufficient sanitization of SVG (Scalable Vector Graphics) files during the reupload process. While SVG is an XML-based vector image format that can embed JavaScript through elements like script tags or event handlers, the CMS failed to properly sanitize these files when they were reuploaded by authenticated users. This represents a classic sanitization bypass where security controls are inconsistently applied across different code paths—initial uploads may have been sanitized, but the reupload functionality lacked equivalent protection, allowing malicious SVG payloads to persist in the asset storage and execute when rendered in victims' browsers.
RemediationAI
Upgrade Statamic CMS to version 5.73.14 or later if using the 5.x branch, or to version 6.7.0 or later if using the 6.x branch, as documented in the GitHub Security Advisory at https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7. Until patching is possible, implement compensating controls such as restricting asset upload permissions to only highly trusted users, implementing Content Security Policy (CSP) headers to prevent inline script execution, and conducting security reviews of recently uploaded SVG assets for malicious content. Organizations should also monitor for suspicious SVG uploads and audit user accounts with asset upload permissions to ensure no unauthorized access exists.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-7rcv-55mj-chg7