CVE-2026-28425— Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs

Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.16 and 6.7.2. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

对生成代码的控制不恰当(代码注入)

Statamic 代码注入漏洞

Statamic是美国Statamic公司的一个基于 Laravel 构建的强大的平面文件 Cms。用于将所有内容、模板、资产和设置存储在文件而不是数据库中。 Statamic 5.73.11之前版本和6.4.0之前版本存在代码注入漏洞，该漏洞源于具有访问Antlers启用输入权限的已认证控制面板用户可能实现远程代码执行，可能导致应用程序完全被破坏，包括访问敏感配置、修改或泄露数据以及影响可用性。

N/A

N/A