CVE-2026-32612 is a stored cross-site scripting (XSS) vulnerability identified in the Statamic content management system (CMS), which is built on Laravel and Git. The vulnerability exists in the control panel's color mode preference feature, where improper neutralization of input allows an authenticated user with control panel access to inject malicious JavaScript code. This malicious script is stored persistently and executes when a higher-privileged user impersonates the attacker’s account within the control panel. The attack vector requires the attacker to have at least low-level authenticated access to the control panel and relies on user interaction, specifically the impersonation feature, to trigger the payload. The vulnerability affects all Statamic CMS versions from 6.0.0 up to but not including 6.6.2, where the issue has been patched. The CVSS 3.1 base score is 5.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required, and user interaction needed. The impact includes potential confidentiality and integrity loss, such as session hijacking, unauthorized actions, or further privilege escalation within the CMS environment. No public exploits have been reported to date, but the vulnerability’s presence in a widely used CMS component makes it a notable risk for organizations relying on Statamic for content management.

The primary impact of this vulnerability is the potential for attackers with low-level authenticated access to inject malicious JavaScript that executes in the context of higher-privileged users during impersonation. This can lead to session hijacking, theft of sensitive information, unauthorized actions within the CMS, and possible privilege escalation. Organizations using affected Statamic versions risk compromise of their CMS control panels, which could lead to website defacement, data leakage, or further infiltration into internal networks. Since the vulnerability requires authentication and user interaction, the attack surface is somewhat limited; however, in environments where multiple users have control panel access or impersonation is frequently used, the risk is elevated. The vulnerability does not affect availability directly but compromises confidentiality and integrity. Given Statamic’s use in various industries for content management, the impact can be significant, especially for organizations with sensitive or high-profile web content.

To mitigate this vulnerability, organizations should immediately upgrade Statamic CMS to version 6.6.2 or later, where the issue is patched. Until the upgrade can be performed, restrict control panel access to trusted users only and limit the use of the impersonation feature to essential cases with strict monitoring. Implement strong authentication mechanisms and session management to reduce the risk of session hijacking. Conduct regular audits of user permissions and control panel activity logs to detect suspicious behavior. Additionally, apply web application firewall (WAF) rules that can detect and block common XSS payload patterns targeting the control panel. Educate administrators about the risks of impersonation and encourage cautious use of this feature. Finally, ensure that input validation and output encoding best practices are followed in custom plugins or extensions to prevent similar vulnerabilities.