Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Statamic is a Laravel and Git powered content management system (CMS). Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. This has been fixed in 6.6.2.
AnalysisAI
Statamic CMS versions prior to 6.6.2 contain a stored cross-site scripting (XSS) vulnerability in the control panel color mode preference functionality that allows authenticated users to inject malicious JavaScript code. When a higher-privileged administrator impersonates or accesses the account of an authenticated user who has injected malicious code, the JavaScript executes in the administrator's browser session with their elevated privileges. This vulnerability is network-accessible and requires low privileges but user interaction from the victim, resulting in a CVSS score of 5.4 with potential for session hijacking, data theft, or further privilege escalation depending on the administrator's role and permissions.
Technical ContextAI
Statamic is a Laravel-based content management system (CMS) that integrates Git for version control and provides a web-based control panel for content management. The vulnerability exists in how user preferences, specifically the color mode setting, are stored and rendered without proper output encoding or content security policy enforcement. This falls under CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic stored XSS vulnerability where user-controlled input is persisted in a database and later rendered in HTML context without sanitization. The attack vector targets the control panel authentication mechanism, meaning the attacker must first obtain valid credentials to access the control panel. The vulnerability is specific to the preference storage mechanism and affects the CPE designation for Statamic prior to version 6.6.2 (cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:* with versions before 6.6.2).
RemediationAI
Immediately upgrade Statamic to version 6.6.2 or later, which contains the fix for the stored XSS vulnerability in the color mode preference setting. This patch properly sanitizes and encodes user input in the preference storage and rendering mechanisms. Organizations unable to patch immediately should implement the following compensating controls: restrict control panel access to a minimal set of trusted administrators using network-level access controls (IP whitelisting via reverse proxy or firewall), enforce strong multi-factor authentication for all control panel accounts to prevent credential compromise, regularly audit control panel login logs and preference changes for suspicious activity, and implement Content Security Policy (CSP) headers with strict directives to limit JavaScript execution. Additionally, disable account impersonation features in the control panel settings if they are not essential to operations, or implement mandatory re-authentication for impersonation actions. Monitor for any suspicious modifications to user preferences across all accounts and consider resetting preferences for all users after patching to clear any potential injection payloads.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11732
GHSA-hcch-w73c-jp4m