CVE-2026-33883 is a cross-site scripting (XSS) vulnerability identified in the Statamic content management system (CMS), which is built on Laravel and Git. The flaw exists in the user:reset_password_form tag, which prior to version 5.73.16 and between 6.0.0-alpha.1 and 6.7.2, improperly handles user input by rendering it directly into HTML without proper escaping or sanitization. This improper neutralization of input (CWE-79) allows attackers to craft malicious URLs that, when visited by a victim, execute arbitrary JavaScript code within the victim’s browser context. Such execution can lead to theft of session cookies, defacement, or redirection to malicious sites. The vulnerability is remotely exploitable over the network without authentication but requires user interaction (clicking the crafted URL). The CVSS 3.1 base score is 6.1, reflecting medium severity with low attack complexity and no privileges required. The vulnerability affects Statamic CMS versions below 5.73.16 and versions from 6.0.0-alpha.1 up to but not including 6.7.2. The vendor has addressed the issue in versions 5.73.16 and 6.7.2 by properly escaping user input in the affected tag. No public exploits or active exploitation have been reported to date, but the vulnerability poses a significant risk to websites using vulnerable versions of Statamic CMS, especially those with public-facing password reset functionality.

The primary impact of this vulnerability is the potential for attackers to execute arbitrary JavaScript in the browsers of users visiting a compromised or maliciously crafted URL on affected Statamic CMS websites. This can lead to theft of sensitive information such as session cookies, enabling account takeover, unauthorized actions performed on behalf of users, phishing attacks, or distribution of malware. While the vulnerability does not directly compromise server confidentiality or availability, successful exploitation undermines user trust and can result in reputational damage, data leakage, and potential regulatory consequences for organizations handling sensitive user data. Because the flaw is in a password reset form, attackers might target users attempting to reset their passwords, increasing the likelihood of successful social engineering. The medium CVSS score reflects that exploitation requires user interaction but no authentication, making it a moderate risk for organizations relying on affected Statamic CMS versions. Organizations with high traffic public websites or those in sectors with sensitive user data (e.g., finance, healthcare, e-commerce) face higher impact risks.

Organizations should immediately upgrade Statamic CMS to version 5.73.16 or later, or 6.7.2 or later, where the vulnerability has been patched. If immediate upgrade is not feasible, implement input validation and output encoding on the user:reset_password_form tag to ensure all user-supplied data is properly escaped before rendering in HTML. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts and reduce the impact of potential XSS attacks. Monitor web server logs for suspicious URL patterns that may indicate attempted exploitation. Educate users about the risks of clicking untrusted links, especially those related to password resets. Additionally, consider implementing multi-factor authentication to reduce the impact of session hijacking. Regularly audit and test web applications for XSS vulnerabilities using automated scanners and manual penetration testing to detect similar issues proactively.