Skip to main content

SVG CVE-2026-33172

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-18 https://github.com/statamic/cms GHSA-7rcv-55mj-chg7
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 18, 2026 - 20:00 vuln.today
CVE Published
Mar 18, 2026 - 19:54 nvd
HIGH 8.7

DescriptionGitHub Advisory

Impact

Stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed.

Patches

This has been fixed in 5.73.14 and 6.7.0.

AnalysisAI

A stored cross-site scripting (XSS) vulnerability in Statamic CMS allows authenticated users with asset upload permissions to bypass SVG sanitization during asset reuploads, enabling injection of malicious JavaScript that executes when other users view the compromised asset. The vulnerability affects Statamic CMS versions prior to 5.73.14 and 6.7.0, with patches available in those releases. The CVSS score of 8.7 (High) reflects the changed scope and high confidentiality/integrity impact, though exploitation requires low-privileged authenticated access and user interaction.

Technical ContextAI

This vulnerability affects the Statamic CMS content management system, distributed as a Composer package (pkg:composer/statamic_cms). The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a stored XSS variant. The vulnerability emerges from insufficient sanitization of SVG (Scalable Vector Graphics) files during the reupload process. While SVG is an XML-based vector image format that can embed JavaScript through elements like script tags or event handlers, the CMS failed to properly sanitize these files when they were reuploaded by authenticated users. This represents a classic sanitization bypass where security controls are inconsistently applied across different code paths—initial uploads may have been sanitized, but the reupload functionality lacked equivalent protection, allowing malicious SVG payloads to persist in the asset storage and execute when rendered in victims' browsers.

RemediationAI

Upgrade Statamic CMS to version 5.73.14 or later if using the 5.x branch, or to version 6.7.0 or later if using the 6.x branch, as documented in the GitHub Security Advisory at https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7. Until patching is possible, implement compensating controls such as restricting asset upload permissions to only highly trusted users, implementing Content Security Policy (CSP) headers to prevent inline script execution, and conducting security reviews of recently uploaded SVG assets for malicious content. Organizations should also monitor for suspicious SVG uploads and audit user accounts with asset upload permissions to ensure no unauthorized access exists.

Share

CVE-2026-33172 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy