CVE-2026-27196
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in Statmatic CMS allows authenticated users with field management permissions to inject malicious JavaScript into HTML fieldtypes. When higher-privileged users view the compromised content, the malicious code executes in their browser context. This affects Statmatic CMS versions 5.73.8 and below, plus 6.0.0-alpha.1 through 6.3.1.
💻 Affected Systems
- Statmatic CMS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with field management permissions could inject JavaScript that steals administrator session cookies, performs actions as administrators, or installs backdoors, potentially leading to complete system compromise.
Likely Case
Malicious users with field editing access inject scripts that steal session tokens or perform unauthorized actions when administrators view the compromised content.
If Mitigated
With proper input validation and output encoding, the injected scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access with field management permissions; XSS payloads are well-documented and easy to craft.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.3.2 and 5.73.9
Vendor Advisory: https://github.com/statmatic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq
Restart Required: No
Instructions:
1. Update Statmatic CMS to version 6.3.2 or 5.73.9. 2. For Laravel applications: composer require statamic/cms:^6.3.2 or composer require statamic/cms:^5.73.9. 3. Clear application cache: php artisan cache:clear. 4. Verify the update with php artisan statamic:version.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement server-side validation to sanitize HTML field inputs and ensure proper output encoding when displaying content.
Content Security Policy
allImplement a strict Content Security Policy header to restrict script execution sources.
🧯 If You Can't Patch
- Restrict field management permissions to trusted administrators only
- Implement web application firewall rules to block common XSS payload patterns
🔍 How to Verify
Check if Vulnerable:
Check Statmatic version: php artisan statamic:version. If version is ≤5.73.8 or between 6.0.0-alpha.1 and 6.3.1, the system is vulnerable.Check Version:
php artisan statamic:versionVerify Fix Applied:
After patching, verify version is 6.3.2 or 5.73.9 with php artisan statamic:version. Test HTML field inputs with basic XSS payloads like <script>alert('test')</script> to ensure they're properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual HTML field modifications containing script tags or JavaScript code
- Multiple failed login attempts followed by field management activity
Network Indicators:
- Outbound connections to suspicious domains from administrator sessions
- Unusual POST requests to field update endpoints with encoded payloads
SIEM Query:
source="web_logs" AND (uri="/cp/fields/*" OR uri="/cp/blueprints/*") AND (body CONTAINS "<script>" OR body CONTAINS "javascript:")