CVE-2026-28426 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Statamic content management system (CMS), which is built on Laravel and Git. The vulnerability affects versions prior to 5.73.11 and versions from 6.0.0 up to but not including 6.4.0. It specifically resides in the SVG and icon-related components of the CMS, where improper neutralization of input during web page generation allows authenticated users with appropriate permissions to inject malicious JavaScript code. This malicious script is stored persistently and executes in the context of higher-privileged users when they view the affected content, enabling potential privilege escalation, session hijacking, or data theft. The attack vector requires the attacker to have some level of authenticated access and the victim to interact by viewing the injected content, which limits exploitation but still poses significant risk in multi-user environments. The vulnerability has been assigned a CVSS v3.1 base score of 8.7, reflecting high severity due to its impact on confidentiality and integrity, ease of exploitation with low attack complexity, and the scope affecting other users. No known exploits have been reported in the wild as of the publication date, but the vulnerability has been publicly disclosed and fixed in Statamic versions 5.73.11 and 6.4.0. Organizations using affected versions should update promptly to mitigate this risk.

The primary impact of this vulnerability is the potential for privilege escalation and compromise of sensitive information within organizations using Statamic CMS. An attacker with authenticated access and appropriate permissions can inject malicious scripts that execute in the browsers of higher-privileged users, such as administrators. This can lead to session hijacking, unauthorized actions performed on behalf of the victim, theft of confidential data, or further compromise of the CMS environment. Since the vulnerability affects web page generation components related to SVG and icons, it may be leveraged to target administrative interfaces or content management workflows. The exploitation requires user interaction but can have a broad impact in environments with multiple users and hierarchical permissions. Organizations relying on Statamic CMS for website or content management, especially those with sensitive or critical data, face risks of data breaches, reputational damage, and operational disruption if this vulnerability is exploited.

To mitigate CVE-2026-28426, organizations should immediately upgrade Statamic CMS to version 5.73.11 or later, or 6.4.0 or later, where the vulnerability has been patched. In addition to patching, administrators should review user permissions to ensure that only trusted users have the ability to modify SVG or icon components, minimizing the attack surface. Implementing strict input validation and output encoding on all user-supplied content, especially in SVG and icon-related fields, can provide additional defense in depth. Monitoring logs for unusual activity related to content changes or script injections can help detect attempted exploitation. Employing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts can reduce the impact of any injected malicious code. Regular security audits and user training on phishing and social engineering risks can further reduce the likelihood of successful exploitation. Finally, segregating administrative roles and limiting access to the CMS backend can help contain potential attacks.