CVE-2026-33172 is a stored cross-site scripting (XSS) vulnerability identified in the Statamic content management system, which is built on Laravel and Git. The vulnerability affects versions prior to 5.73.14 and 6.7.0. It arises from improper neutralization of input during web page generation, specifically in the handling of SVG asset reuploads. Authenticated users with permissions to upload assets can exploit this flaw by uploading specially crafted SVG files that bypass the CMS's SVG sanitization process. When these malicious SVG assets are viewed within the CMS or by users, embedded JavaScript code executes in the context of the victim's browser. This can lead to session hijacking, credential theft, or further exploitation of the web application. The vulnerability requires the attacker to have authenticated access with asset upload rights and some user interaction to trigger the payload. The CVSS v3.1 score of 8.7 reflects a network attack vector with low complexity, requiring privileges and user interaction, and resulting in high confidentiality and integrity impacts but no availability impact. The vulnerability has been fixed in Statamic versions 5.73.14 and 6.7.0. No public exploit code or active exploitation has been reported to date.

The impact of CVE-2026-33172 is significant for organizations using vulnerable versions of Statamic CMS. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the web application, potentially leading to theft of sensitive information such as authentication tokens, user credentials, or other confidential data. It can also facilitate further attacks like privilege escalation, phishing, or malware distribution within the affected environment. Since the vulnerability requires authenticated access with asset upload permissions, insider threats or compromised user accounts pose a substantial risk. The integrity of web content can be compromised, damaging organizational reputation and trust. Although availability is not directly affected, the indirect consequences of data breaches and trust erosion can be severe. Organizations relying on Statamic for public-facing or internal web portals are at risk of targeted attacks, especially if they have weak access controls or insufficient monitoring of asset uploads.

To mitigate CVE-2026-33172, organizations should immediately upgrade Statamic CMS to versions 5.73.14 or 6.7.0 or later, where the vulnerability has been patched. Until upgrades can be applied, restrict asset upload permissions strictly to trusted users and review existing user roles to minimize the number of users with upload rights. Implement monitoring and alerting on asset upload activities, especially SVG file uploads, to detect suspicious or anomalous behavior. Employ web application firewalls (WAFs) with rules targeting SVG-based XSS payloads as a temporary defense layer. Conduct regular security audits of CMS configurations and user permissions. Educate users about the risks of uploading untrusted SVG content and enforce content sanitization policies where possible. Finally, maintain an incident response plan to quickly address any suspected exploitation attempts.