Primary

Context

Statamic CMS Stored Cross-Site Scripting Vulnerability in SVG and Icon Components

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in Statamic CMS versions prior to 5.73.11 and 6.4.0. This issue allows authenticated users with the necessary permissions to inject malicious JavaScript into SVG and icon-related components. The injected script executes when the content is viewed by users with higher privileges.

Impact

Exploitation of this vulnerability allows for privilege escalation through the execution of injected JavaScript, potentially leading to unauthorized actions being performed on behalf of a user with elevated rights.

Remediation

Users can upgrade to Statamic CMS versions 5.73.11 or 6.4.0 to address this vulnerability.

Added: Feb 28, 2026, 12:27 AM

Updated: Feb 28, 2026, 12:27 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.4

exploitability

5.2

remediation

7.7

relevance

3.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.4

exploitability

5.2

remediation

7.7

relevance

3.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Statamic CMS Stored Cross-Site Scripting Vulnerability in SVG and Icon Components

Vulnerability

Impact

Remediation

Affected Products

Statamic

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating