CVE-2026-32612 is a stored cross-site scripting (XSS) vulnerability categorized under CWE-79 affecting Statamic CMS, a Laravel and Git-powered content management system. The vulnerability resides in the control panel's color mode preference feature, where input is improperly neutralized during web page generation. Authenticated users with control panel access can inject malicious JavaScript code into this preference setting. This malicious script is then stored and executed in the context of a higher-privileged user who impersonates the attacker’s account, enabling potential session hijacking, credential theft, or unauthorized actions within the CMS. The vulnerability affects Statamic versions from 6.0.0 up to but not including 6.6.2 and was addressed in version 6.6.2. The CVSS v3.1 base score is 5.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges and user interaction, and impacting confidentiality and integrity but not availability. No public exploits have been reported to date. The flaw highlights the risk of stored XSS in administrative interfaces where privilege escalation can occur through impersonation features.

The primary impact of this vulnerability is the compromise of confidentiality and integrity within affected Statamic CMS installations. An attacker with authenticated control panel access can inject malicious scripts that execute when a higher-privileged user impersonates their account. This can lead to theft of sensitive information such as session tokens or credentials, unauthorized actions performed with elevated privileges, and potential further compromise of the CMS environment. While availability is not directly affected, the breach of trust and control panel integrity can disrupt administrative operations and damage organizational reputation. Organizations relying on Statamic CMS for content management and website administration are at risk, especially those with multiple user roles and impersonation features enabled. The requirement for authentication and user interaction limits the attack surface but does not eliminate risk, particularly in environments with many users or delegated administrative roles.

1. Upgrade Statamic CMS to version 6.6.2 or later immediately to apply the official patch addressing this vulnerability. 2. Review and restrict control panel access permissions to the minimum necessary users, limiting the number of accounts that can modify color mode preferences or impersonate other users. 3. Disable or tightly control the impersonation feature if not essential, as it is the vector for executing the stored XSS payload. 4. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the control panel environment. 5. Conduct regular security audits and penetration testing focusing on stored XSS vectors in administrative interfaces. 6. Educate administrators and users with impersonation privileges about the risks of executing actions under other user contexts. 7. Monitor logs for unusual impersonation activities or unexpected script executions within the control panel. 8. Consider deploying Web Application Firewalls (WAF) with rules tuned to detect and block stored XSS payloads targeting the control panel.