CVE-2026-28426 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Statamic content management system (CMS), which is built on Laravel and Git. The vulnerability affects versions prior to 5.73.11 and versions from 6.0.0 up to but not including 6.4.0. It arises from improper neutralization of input during web page generation in SVG and icon-related components. Authenticated users with appropriate permissions can inject malicious JavaScript payloads into these components. When higher-privileged users view the affected pages, the malicious scripts execute in their browsers, potentially allowing attackers to hijack sessions, steal credentials, perform actions on behalf of the victim, or escalate privileges. The vulnerability requires the attacker to have some level of authenticated access and involves user interaction, but the impact is severe due to the ability to compromise high-privilege accounts. The CVSS v3.1 score of 8.7 reflects a network attack vector, low attack complexity, privileges required, and user interaction, with a scope change and high impact on confidentiality and integrity, but no impact on availability. Although no exploits have been reported in the wild, the vulnerability poses a significant risk to organizations using affected Statamic CMS versions. The issue was addressed in versions 5.73.11 and 6.4.0 by properly sanitizing inputs in the vulnerable components.

The vulnerability can lead to significant security breaches including session hijacking, credential theft, unauthorized actions, and privilege escalation within organizations using the affected Statamic CMS versions. Since the malicious script executes in the context of higher-privileged users, attackers can gain access to sensitive data and administrative functions, potentially compromising the entire CMS and associated web applications. This can result in data breaches, defacement, or further lateral movement within the network. The impact is amplified in environments where Statamic is used for critical business websites or intranet portals. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in organizations with many users or weak access controls. The vulnerability could also be leveraged as a foothold for more advanced attacks, including supply chain compromises or ransomware deployment. The absence of known exploits in the wild provides a window for remediation but should not lead to complacency.

1. Immediately upgrade Statamic CMS to version 5.73.11 or 6.4.0 or later, where the vulnerability has been fixed. 2. Review and restrict user permissions to minimize the number of users who can inject content into SVG and icon components. 3. Implement strict input validation and output encoding on all user-supplied content, especially in custom extensions or plugins interacting with SVG/icon data. 4. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting script execution sources. 5. Conduct regular security audits and penetration testing focusing on authenticated user functionalities. 6. Monitor logs for unusual activities related to SVG or icon content modifications. 7. Educate users with content editing privileges about the risks of injecting untrusted content. 8. Consider deploying Web Application Firewalls (WAF) with rules targeting XSS payloads in authenticated sessions. 9. If immediate upgrade is not feasible, temporarily disable or restrict access to SVG and icon editing features for lower-privileged users.