CVE-2026-28426— Statamic vulnerable to privilege escalation via stored cross-site scripting

Statamic vulnerable to privilege escalation via stored cross-site scripting

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Statamic 跨站脚本漏洞

Statamic是美国Statamic公司的一个基于 Laravel 构建的强大的平面文件 Cms。用于将所有内容、模板、资产和设置存储在文件而不是数据库中。 Statamic 5.73.11之前版本和6.4.0之前版本存在跨站脚本漏洞，该漏洞源于svg和图标相关组件存在存储型跨站脚本，可能导致具有适当权限的已认证用户注入恶意JavaScript，并在高权限用户查看时执行。

N/A

N/A