CVE-2026-28425 is a vulnerability classified under CWE-94 (Improper Control of Generation of Code) affecting Statamic CMS, a Laravel and Git-powered content management system. The flaw exists in versions prior to 5.73.16 and 6.7.2, where authenticated control panel users with permissions to access Antlers-enabled inputs can inject and execute arbitrary code within the application context. Antlers is Statamic's templating language, and this vulnerability manifests when Antlers templates are run on user-controlled content fields, such as content fields explicitly enabled for Antlers, built-in configurations like Forms email notification settings, or third-party addons that add Antlers-enabled fields (e.g., SEO Pro addon). The attacker must have relevant control panel permissions to configure fields and edit entries or configure forms, which restricts exploitation to authorized users. Exploitation can lead to remote code execution, enabling attackers to access sensitive configuration data, modify or exfiltrate stored data, and potentially disrupt application availability. The vulnerability is due to insufficient sanitization or validation of user input that is processed as executable code in Antlers templates. Statamic addressed this issue in versions 5.73.16 and 6.7.2 by improving input handling and restricting code execution paths. No known exploits are reported in the wild yet, but the high CVSS score (8.0) reflects the significant risk posed by this vulnerability if exploited.

The impact of CVE-2026-28425 is substantial for organizations using Statamic CMS, especially those with multiple authenticated control panel users or third-party addons that enable Antlers templates on user inputs. Successful exploitation allows remote code execution within the application context, which can lead to complete compromise of the CMS environment. Attackers could access sensitive configuration files, modify website content, exfiltrate confidential data, or disrupt service availability. This could result in data breaches, defacement, loss of customer trust, and operational downtime. Since the vulnerability requires authenticated access with specific permissions, insider threats or compromised user accounts pose a significant risk. Organizations relying on Statamic for public-facing websites or internal portals may face reputational damage and regulatory consequences if exploited. Additionally, third-party addons that enable Antlers templates increase the attack surface, necessitating careful review of all installed extensions.

1. Immediately upgrade Statamic CMS to version 5.73.16 or 6.7.2 or later to apply the official patch addressing this vulnerability. 2. Review and restrict control panel user permissions to the minimum necessary, especially permissions related to configuring fields, editing entries, and configuring forms. 3. Audit all third-party addons for use of Antlers-enabled fields and ensure they are compatible with patched Statamic versions. 4. Implement strong authentication mechanisms such as multi-factor authentication (MFA) for control panel users to reduce the risk of account compromise. 5. Monitor logs for unusual activity related to control panel access and Antlers template usage. 6. Conduct regular security reviews and penetration testing focusing on CMS user roles and template injection risks. 7. Educate administrators and developers about the risks of code injection via templating engines and enforce secure coding practices when extending CMS functionality. 8. If immediate patching is not possible, consider disabling Antlers execution on user-controlled inputs where feasible as a temporary mitigation.