CVE-2026-28425: CWE-94: Improper Control of Generation of Code ('Code Injection') in statamic cms
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.11 and 6.4.0. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version.
AI Analysis
Technical Summary
CVE-2026-28425 is a critical code injection vulnerability classified under CWE-94 affecting the Statamic content management system, which is built on Laravel and Git. The flaw exists in how Statamic processes Antlers templates—its proprietary templating language—when enabled on user-controllable inputs such as content fields, form email notification settings, or third-party addons like SEO Pro. An authenticated control panel user with permissions to configure fields and edit entries or configure forms can inject malicious code into these Antlers-enabled inputs. Because Antlers templates are parsed and executed within the application context, this injection leads to remote code execution (RCE). This allows attackers to execute arbitrary PHP code, potentially leading to full compromise of the CMS environment, including unauthorized access to sensitive configuration data, modification or exfiltration of stored content, and disruption of availability. The vulnerability affects Statamic versions earlier than 5.73.11 and versions from 6.0.0 up to but not including 6.4.0. Exploitation requires authenticated access with specific permissions, which limits exposure to authorized users but remains a significant risk if credentials are compromised or insider threats exist. The issue has been addressed in Statamic 5.73.11 and 6.4.0 by tightening control over Antlers template processing and input sanitization. No public exploits have been reported yet, but the high CVSS score of 8.0 reflects the severity and potential impact of this vulnerability.
Potential Impact
The impact of CVE-2026-28425 is substantial for organizations using Statamic CMS, particularly those with multiple authenticated users having control panel permissions. Successful exploitation can lead to remote code execution, resulting in full system compromise. Attackers could access and exfiltrate sensitive configuration files, modify or delete content, and disrupt service availability. This can cause data breaches, loss of data integrity, and downtime, affecting business continuity and reputation. Since the vulnerability requires authenticated access with specific permissions, the risk is heightened in environments where user credentials are weak, reused, or compromised. Additionally, third-party addons that enable Antlers on user inputs expand the attack surface. Organizations relying on Statamic for public-facing websites or internal portals may face regulatory and compliance risks if sensitive data is exposed. The absence of known exploits in the wild currently reduces immediate risk, but the vulnerability's nature and high severity score warrant urgent remediation to prevent future attacks.
Mitigation Recommendations
To mitigate CVE-2026-28425, organizations should immediately upgrade Statamic CMS to version 5.73.11 or 6.4.0 or later, where the vulnerability has been patched. Review and restrict control panel permissions rigorously, ensuring only trusted users have the ability to configure fields, edit entries, or modify form settings that enable Antlers templates. Audit third-party addons for Antlers-enabled inputs and verify compatibility with patched Statamic versions. Implement strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Regularly monitor CMS logs for suspicious activity related to template editing or configuration changes. Conduct security training for administrators to recognize the risks of granting excessive permissions. If immediate patching is not feasible, consider disabling Antlers template processing on user-controllable inputs where possible or limiting access to these features. Employ web application firewalls (WAFs) with custom rules to detect and block unusual template injection patterns. Finally, maintain regular backups and incident response plans to recover quickly in case of compromise.
Affected Countries
United States, United Kingdom, Germany, Canada, Australia, Netherlands, France, Japan, India, Brazil
CVE-2026-28425: CWE-94: Improper Control of Generation of Code ('Code Injection') in statamic cms
Description
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.11 and 6.4.0. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version.
AI-Powered Analysis
Technical Analysis
CVE-2026-28425 is a critical code injection vulnerability classified under CWE-94 affecting the Statamic content management system, which is built on Laravel and Git. The flaw exists in how Statamic processes Antlers templates—its proprietary templating language—when enabled on user-controllable inputs such as content fields, form email notification settings, or third-party addons like SEO Pro. An authenticated control panel user with permissions to configure fields and edit entries or configure forms can inject malicious code into these Antlers-enabled inputs. Because Antlers templates are parsed and executed within the application context, this injection leads to remote code execution (RCE). This allows attackers to execute arbitrary PHP code, potentially leading to full compromise of the CMS environment, including unauthorized access to sensitive configuration data, modification or exfiltration of stored content, and disruption of availability. The vulnerability affects Statamic versions earlier than 5.73.11 and versions from 6.0.0 up to but not including 6.4.0. Exploitation requires authenticated access with specific permissions, which limits exposure to authorized users but remains a significant risk if credentials are compromised or insider threats exist. The issue has been addressed in Statamic 5.73.11 and 6.4.0 by tightening control over Antlers template processing and input sanitization. No public exploits have been reported yet, but the high CVSS score of 8.0 reflects the severity and potential impact of this vulnerability.
Potential Impact
The impact of CVE-2026-28425 is substantial for organizations using Statamic CMS, particularly those with multiple authenticated users having control panel permissions. Successful exploitation can lead to remote code execution, resulting in full system compromise. Attackers could access and exfiltrate sensitive configuration files, modify or delete content, and disrupt service availability. This can cause data breaches, loss of data integrity, and downtime, affecting business continuity and reputation. Since the vulnerability requires authenticated access with specific permissions, the risk is heightened in environments where user credentials are weak, reused, or compromised. Additionally, third-party addons that enable Antlers on user inputs expand the attack surface. Organizations relying on Statamic for public-facing websites or internal portals may face regulatory and compliance risks if sensitive data is exposed. The absence of known exploits in the wild currently reduces immediate risk, but the vulnerability's nature and high severity score warrant urgent remediation to prevent future attacks.
Mitigation Recommendations
To mitigate CVE-2026-28425, organizations should immediately upgrade Statamic CMS to version 5.73.11 or 6.4.0 or later, where the vulnerability has been patched. Review and restrict control panel permissions rigorously, ensuring only trusted users have the ability to configure fields, edit entries, or modify form settings that enable Antlers templates. Audit third-party addons for Antlers-enabled inputs and verify compatibility with patched Statamic versions. Implement strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Regularly monitor CMS logs for suspicious activity related to template editing or configuration changes. Conduct security training for administrators to recognize the risks of granting excessive permissions. If immediate patching is not feasible, consider disabling Antlers template processing on user-controllable inputs where possible or limiting access to these features. Employ web application firewalls (WAFs) with custom rules to detect and block unusual template injection patterns. Finally, maintain regular backups and incident response plans to recover quickly in case of compromise.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-27T15:54:05.136Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69a21f2232ffcdb8a27f4a94
Added to database: 2/27/2026, 10:48:02 PM
Last enriched: 2/27/2026, 10:49:18 PM
Last updated: 2/28/2026, 12:55:29 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-28426: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in statamic cms
HighCVE-2025-11252: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Signum Technology Promotion and Training Inc. windesk.fm
CriticalCVE-2026-2647
UnknownCVE-2026-28424: CWE-862: Missing Authorization in statamic cms
MediumCVE-2026-28423: CWE-918: Server-Side Request Forgery (SSRF) in statamic cms
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.