CVE-2026-28426: Chain Reaction Stored XSS and Antlers Template Injection in Statamic Control Panel

Summary

CVE-2026-28426 describes a critical stored cross-site scripting vulnerability in Statamic CMS control panel that enables authenticated low-privilege users to inject malicious payloads via Scalable Vector Graphics SVG uploads, PDF embedding, and unsafe Antlers template evaluation. When high-privileged users view the compromised content, arbitrary JavaScript can execute in their browser, leading to potential account takeover and privilege escalation.

Statamic is a Laravel and Git powered content management system. Prior to fixed releases, versions in the 5.x and 6.x lines allowed unsafe handling of user-supplied assets and permissive template evaluation contexts.

TL;DR

Critical stored XSS in Statamic CMS versions earlier than 5.73.11 and 6.4.0. Authenticated Authors or Editors can inject JavaScript via malicious SVGs and Antlers template injection in the Control Panel. Patch to 5.73.11 or 6.4.0 immediately and follow mitigation best practices.

Technical details

• CWE: CWE-79 Stored Cross Site Scripting
• CVSS v3.1: 8.7 (High)
• EPSS: 0.025%
• Attack vector: Network, via authenticated upload or template input
• Impact: Privilege escalation, administrator account compromise, data exposure
• Exploit status: Proof of concept available

Affected systems

• Statamic CMS 5.x versions earlier than 5.73.11
• Statamic CMS 6.x versions earlier than 6.4.0
• Any site where low privilege users can upload assets, edit Antlers templates, or create content rendered in the Control Panel

Code analysis and fixes

• Commit 97bbbec1: introduced an isEvaluatingUserData flag to sandbox the Antlers engine and reduce unsafe evaluation contexts
• Commit 01ca0847: replaced config()->all() usage with a whitelisted Cascade::config() to limit exposure of configuration data to evaluated templates
• Commit 259c5851: replaced PDF embed rendering with a Canvas based rendering approach to reduce direct injection vectors via embedded PDFs

Exploit details

An attacker with Author or Editor level access can upload an SVG containing embedded script or attach specially crafted attributes that are not sanitized when displayed in the Control Panel. In parallel, Antlers template injection arises from evaluating user data in template contexts that were not fully sandboxed. The combination creates a chain reaction where an asset upload triggers script execution in the browser of an Administrator viewing content or asset listings.

Reported advisory identifier GHSA-5vrj-wf7v-5wr7 documents vector descriptions and conceptual proof of concept techniques. Successful exploitation requires an authenticated user and a victim with higher privileges interacting with the compromised content in the Control Panel.

Mitigation strategies

• Upgrade immediately to Statamic 5.73.11 or 6.4.0 or later. Apply vendor patches as the primary remediation.
• Harden roles: restrict upload and template editing permissions to a minimal set of trusted users. Remove unnecessary Author and Editor privileges.
• Content Security Policy: implement restrictive CSP headers that disallow inline scripts and disallow script execution from untrusted sources in the Control Panel context.
• Sanitize uploads: enforce server side sanitization of SVG files, strip scriptable elements and event attributes, and convert or rasterize SVGs where feasible.
• Disable unneeded features: temporarily disable PDF embedding or template evaluation of user supplied data until patches are applied.

Detection and indicators

• Review asset upload logs for unexpected SVG or PDF uploads from low privilege accounts.
• Search content and template fields for suspicious patterns such as script tags, javascript: URIs, on* event attributes, or Antlers constructs that reference config or eval-like behavior.
• Monitor Control Panel access logs for unusual administrator sessions immediately following new asset uploads or template edits.
• Use CSP violation reports and browser console logs to detect attempted inline script execution on administration pages.

Recommended incident response

• Patch affected systems without delay and verify the update applied successfully.
• Rotate credentials and API keys for administrative accounts that may have been exposed.
• Perform a content audit for malicious SVGs, PDFs, and modified templates. Remove or replace any suspicious assets and revert template changes.
• Review recent administrative activity for signs of unauthorized actions and preserve logs for forensic analysis.

Notes and references

Key identifiers include CVE-2026-28426, CWE-79, and advisory GHSA-5vrj-wf7v-5wr7. Fixed in Statamic 5.73.11 and 6.4.0. Relevant commits include 97bbbec1, 01ca0847, and 259c5851 which introduce sandboxing and safer config usage and change PDF rendering.

Follow vendor guidance and test patches in staging before production deployment. Combining patching with policy hardening and runtime protections will reduce risk and prevent exploitation chains that lead to administrator compromise.