Critical XSS Flaw in Statamic Control Panel

Statamic's flat-file architecture, often touted for security benefits like immunity to SQL injection, is not impervious to other attack vectors. The CVE-2026-28426 vulnerability specifically targets SVG and icon-related components, allowing authenticated users to inject malicious JavaScript. When a higher-privileged user views these components, the script executes, potentially leading to session hijacking or credential theft. The patches were released in versions 5.73.11 and 6.4.0. The vulnerability received a CVSS base score of 8.7, reflecting its high impact on confidentiality and integrity, though it requires an authenticated attacker with specific permissions to exploit. This highlights the risk of privilege escalation within a system, where a lower-level account can be used to compromise an administrator. This exploit is intertwined with Statamic's own templating engine, Antlers. While powerful for fetching and manipulating data, Antlers can execute code from user-controlled content if explicitly enabled on a given field, creating a pathway for remote code execution. By default, Antlers does not parse template code within content fields for security reasons, a safeguard that must be deliberately overridden by a developer. This specific XSS flaw is part of a broader pattern of vulnerabilities recently addressed in Statamic. Another high-severity advisory, CVE-2026-28425, warns of a remote code execution risk through Antlers-enabled control panel inputs. This underscores the critical importance of input sanitization and cautious feature enablement in systems built on flexible frameworks. Built on Laravel, Statamic inherits many of its robust security features, such as built-in protections against CSRF and XSS. However, the security of the final application still depends on developers adhering to best practices, such as keeping dependencies updated and validating all user inputs, especially file uploads and data bound for template rendering.