CVE-2026-33172

High

Published: 20 March 2026

Published

20 March 2026

Modified

23 March 2026

KEV Added

—

Patch

—

CVSS Score 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0001 1.7th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33172 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Statamic Statamic. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to JavaScript (T1059.007) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through patching the SVG sanitization bypass directly eliminates the vulnerability exploited in CVE-2026-33172.

SI-10 Information Input Validation good match

prevent

Information input validation enforces rigorous sanitization and validation of SVG uploads to block malicious JavaScript injection during reuploads.

SI-15 Information Output Filtering good match

prevent

Information output filtering neutralizes injected JavaScript in SVG assets when viewed by preventing script execution in the browser context.

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

Stored XSS via unsanitized SVG directly enables JavaScript execution (T1059.007) in victim browser sessions, facilitating session hijacking (T1185) and web session cookie theft (T1539). The flaw itself is an exploitable vulnerability in a public-facing CMS application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript…

that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0.

Deeper analysisAI

CVE-2026-33172 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Statamic, a Laravel and Git-powered content management system (CMS). In versions prior to 5.73.14 and 6.7.0, the flaw exists in the handling of SVG asset reuploads, where SVG sanitization can be bypassed. This enables the injection of malicious JavaScript payloads into SVG files. The vulnerability carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its network accessibility, low attack complexity, and potential for significant confidentiality and integrity impacts with changed scope.

An authenticated attacker with asset upload permissions can exploit this vulnerability by reuploading a specially crafted SVG asset containing unsanitized JavaScript. When another user views the malicious SVG asset, the injected JavaScript executes in the context of the viewer's browser session. This could lead to session hijacking, data theft, or further compromise of the victim's account, depending on the privileges of the targeted user.

The Statamic security advisory at https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7 details the issue and confirms patches in versions 5.73.14 and 6.7.0, which address the SVG sanitization bypass. Security practitioners should upgrade affected Statamic installations immediately and review asset upload permissions to limit exposure.

Details

CWE(s): CWE-79

Affected Products

statamic

≤ 5.73.14 · 6.0.0 — 6.7.0

CVEs Like This One

CVE-2026-28426Same product: Statamic Statamic

CVE-2026-27196Same product: Statamic Statamic

CVE-2026-25759Same product: Statamic Statamic

CVE-2026-28425Same product: Statamic Statamic

CVE-2026-27593Same product: Statamic Statamic

CVE-2026-28423Same product: Statamic Statamic

CVE-2026-41175Same product: Statamic Statamic

CVE-2026-27939Same product: Statamic Statamic

CVE-2025-26989Shared CWE-79

CVE-2026-27385Shared CWE-79

References

https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7
Vendor Advisory · security-advisories@github.com