CVE-2026-28425
Published: 27 February 2026
Summary
CVE-2026-28425 is a high-severity Code Injection (CWE-94) vulnerability in Statamic Statamic. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through patching to Statamic versions 5.73.16 or 6.7.2 directly eliminates the code injection vulnerability enabling RCE.
Validating and sanitizing user inputs in Antlers-enabled fields prevents code injection (CWE-94) that leads to arbitrary code execution.
Restricting or prohibiting unnecessary Antlers templating functionality on user-controlled content prevents exposure to this RCE vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated RCE via code injection (CWE-94) in public-facing Statamic CMS directly enables T1190 (exploiting internet-facing app for access) and T1068 (escalating from low-priv control panel user to arbitrary code execution and full compromise).
NVD Description
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That…
more
can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.16 and 6.7.2. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version.
Deeper analysisAI
CVE-2026-28425 is a remote code execution vulnerability affecting Statamic, a Laravel and Git-powered content management system. In versions prior to 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs can execute arbitrary code within the application context. This stems from CWE-94 (code injection) and carries a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).
Exploitation requires an authenticated attacker with specific control panel permissions, such as those allowing configuration of Antlers-enabled content fields, editing of entries, or access to built-in features like Forms email notification settings. Third-party addons, such as SEO Pro, that introduce Antlers-enabled fields may also expose the issue if the attacker has relevant permissions. Successful exploitation leads to full application compromise, including access to sensitive configuration, data modification or exfiltration, and potential denial of service impacting availability.
The vulnerability has been addressed in Statamic versions 5.73.16 and 6.7.2. Users relying on addons dependent on Statamic must ensure they are running a patched core version post-update. Official advisories and release notes are available at the Statamic GitHub security advisory (GHSA-cpv7-q2wx-m8rw) and relevant release tags.
Details
- CWE(s)