CVE-2026-33172 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 that affects the Statamic content management system (CMS), which is built on Laravel and Git. The vulnerability exists in versions prior to 5.73.14 and 6.7.0 and specifically targets the SVG asset reupload functionality. Authenticated users who possess asset upload permissions can exploit this flaw by uploading SVG files containing malicious JavaScript payloads. Due to improper sanitization of SVG content during reuploads, the malicious script is not neutralized and executes in the context of users viewing the asset. This can lead to session hijacking, credential theft, or further exploitation within the CMS environment. The vulnerability requires authentication and user interaction (viewing the malicious SVG asset) but does not require elevated privileges beyond asset upload rights. The CVSS 3.1 base score of 8.7 reflects a high severity, with network attack vector, low attack complexity, privileges required, user interaction, and a scope change indicating that the vulnerability affects components beyond the initial vulnerable code. The impact on confidentiality and integrity is high, while availability is not affected. No public exploits have been reported yet, but the vulnerability is critical enough to warrant immediate patching. The fix was introduced in Statamic versions 5.73.14 and 6.7.0, which properly sanitize SVG uploads to prevent script injection.

The exploitation of CVE-2026-33172 can have severe consequences for organizations using vulnerable versions of Statamic CMS. Attackers with authenticated access and asset upload permissions can inject malicious JavaScript that executes in the browsers of users viewing the compromised SVG assets. This can lead to theft of session tokens, user credentials, or execution of arbitrary actions on behalf of victims, potentially compromising administrative accounts and the CMS backend. The breach of confidentiality and integrity can result in unauthorized data disclosure, defacement, or further lateral movement within the organization's infrastructure. Since the vulnerability affects web-facing CMS components, it can be leveraged to target website visitors or internal users, amplifying the attack surface. The requirement for authentication limits exploitation to insiders or compromised accounts, but the low complexity and high impact make it a significant risk. Organizations relying on Statamic CMS for critical web content or e-commerce are particularly vulnerable to reputational damage and data breaches if unpatched.

To mitigate CVE-2026-33172, organizations should immediately upgrade Statamic CMS to versions 5.73.14 or 6.7.0 or later, where the SVG sanitization flaw is fixed. Until patching is complete, restrict asset upload permissions strictly to trusted users and consider disabling SVG uploads if feasible. Implement monitoring and alerting for unusual SVG asset uploads or modifications, and conduct regular audits of uploaded assets to detect malicious content. Employ Content Security Policy (CSP) headers to limit the impact of any injected scripts by restricting script execution sources. Educate users with upload permissions about the risks of uploading untrusted SVG files. Additionally, review authentication and access controls to minimize the number of users with asset upload rights. In environments where patching is delayed, consider isolating the CMS or deploying web application firewalls (WAFs) with custom rules to detect and block malicious SVG payloads. Finally, maintain comprehensive logging to facilitate incident response if exploitation is suspected.