Primary

Context

Statamic Stored Cross-Site Scripting Vulnerability in SVG Asset Reuploads

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in Statamic CMS versions prior to 5.73.14 and 6.7.0. This issue allows authenticated users with asset upload permissions to bypass the sanitization of SVG files. Malicious JavaScript can be injected into the SVG assets, which executes when the asset is viewed. The vulnerability arises from inadequate sanitization of SVG files during the reupload process.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed when the affected SVG asset is viewed.

Remediation

Users can upgrade to Statamic versions 5.73.14 or 6.7.0 to address this vulnerability.

Added: Mar 20, 2026, 10:21 PM

Updated: Mar 20, 2026, 10:21 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

5.2

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

5.2

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Statamic Stored Cross-Site Scripting Vulnerability in SVG Asset Reuploads

Vulnerability

Impact

Remediation

Affected Products

Statamic

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating