CVE-2026-28426

High

Published: 27 February 2026

Published

27 February 2026

Modified

05 March 2026

KEV Added

—

Patch

—

CVSS Score 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0001 2.1th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28426 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Statamic Statamic. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires identifying, reporting, and patching vulnerabilities like the stored XSS in SVG/icon components, directly addressing the fixed versions 5.73.11 and 6.4.0.

SI-15 Information Output Filtering good match

prevent

Information output filtering prevents execution of injected malicious JavaScript in SVG and icon content when viewed by higher-privileged users.

SI-10 Information Input Validation good match

prevent

Information input validation checks and sanitizes inputs to SVG and icon components, blocking malicious JavaScript injection by authenticated users.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

Stored XSS enables client-side JS execution in higher-privileged browser contexts (facilitating session hijacking/credential theft and priv-esc) and is exploitable as a public-facing web app vuln.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed…

by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.

Deeper analysisAI

CVE-2026-28426 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Statamic, a Laravel and Git-powered content management system (CMS). The flaw resides in SVG and icon-related components and impacts all versions prior to 5.73.11 and 6.4.0. It carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts across a changed scope.

An authenticated attacker with appropriate permissions can exploit this vulnerability by injecting malicious JavaScript into the affected components. The payload persists as stored XSS and executes in the browser context of higher-privileged users, such as administrators, when they view the compromised SVG or icon content. This requires user interaction from the victim but enables remote network-based attacks with low complexity and low privileges on the attacker's part.

The vulnerability has been addressed in Statamic versions 5.73.11 and 6.4.0, as detailed in the project's release notes and security advisory GHSA-5vrj-wf7v-5wr7. Security practitioners should urge users to upgrade to these patched versions immediately to mitigate the risk.

Details

CWE(s): CWE-79

Affected Products

statamic

≤ 5.73.11 · 6.0.0 — 6.4.0

CVEs Like This One

CVE-2026-33172Same product: Statamic Statamic

CVE-2026-25759Same product: Statamic Statamic

CVE-2026-27196Same product: Statamic Statamic

CVE-2026-28425Same product: Statamic Statamic

CVE-2026-27939Same product: Statamic Statamic

CVE-2026-27593Same product: Statamic Statamic

CVE-2026-28423Same product: Statamic Statamic

CVE-2026-41175Same product: Statamic Statamic

CVE-2025-0817Shared CWE-79

CVE-2026-24665Shared CWE-79

References

https://github.com/statamic/cms/releases/tag/v5.73.11
Release Notes · security-advisories@github.com
https://github.com/statamic/cms/releases/tag/v6.4.0
Release Notes · security-advisories@github.com
https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7
Patch, Vendor Advisory · security-advisories@github.com