{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33172", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T22:16:36.719Z", "datePublished": "2026-03-20T21:40:46.736Z", "dateUpdated": "2026-03-25T13:46:16.341Z"}, "containers": {"cna": {"title": "Statamic has Stored XSS via SVG Sanitization Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7"}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"version": ">= 6.0.0-alpha.1, < 6.7.0", "status": "affected"}, {"version": "< 5.73.14", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T21:40:46.736Z"}, "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0."}], "source": {"advisory": "GHSA-7rcv-55mj-chg7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:46:09.184212Z", "id": "CVE-2026-33172", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:46:16.341Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33172", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T22:16:36.719Z", "datePublished": "2026-03-20T21:40:46.736Z", "dateUpdated": "2026-03-25T13:46:16.341Z"}, "containers": {"cna": {"title": "Statamic has Stored XSS via SVG Sanitization Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7"}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"version": ">= 6.0.0-alpha.1, < 6.7.0", "status": "affected"}, {"version": "< 5.73.14", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T21:40:46.736Z"}, "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0."}], "source": {"advisory": "GHSA-7rcv-55mj-chg7", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33172", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T13:46:09.184212Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:46:12.475Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "23CF5975-D5BE-4138-AE2F-95F7BBE00F20", "versionEndExcluding": "5.73.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B99B257-0FC1-4CF9-B006-8AEC17235BC8", "versionEndExcluding": "6.7.0", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. This has been fixed in 5.73.14 and 6.7.0."}], "id": "CVE-2026-33172", "lastModified": "2026-03-23T18:46:04.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T22:16:28.973", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0-alpha.1,6.7.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.73.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "statamic"}, "product": "cms", "vendor": "statamic"}], "analysis": {"en": {"generated_at": "2026-03-23T21:07:45.049049+00:00", "value": {"mitigation_remediation": ["Upgrade Statamic to version 5.73.14 or later, or 6.7.0 or later", "If an upgrade is not feasible, restrict or revoke asset upload permissions for authenticated users", "Verify that the sanitization routine is active and monitor for anomalous SVG uploads"], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The issue affects Statamic CMS versions earlier than 5.73.14 and 6.7.0. Any installation that allows asset uploads for authenticated users is at risk until the patch is applied.", "description_and_impact": "Statamic CMS is vulnerable to a stored cross\u2011site scripting flaw that lets authenticated users with asset upload rights inject arbitrary JavaScript into SVG files. When a victim views the manipulated SVG, the embedded code executes in the victim\u2019s browser, enabling data theft or session hijacking. This weakness arises from a bypass of the system\u2019s SVG sanitization and is classified as CWE\u201179.", "risk_and_exploitability": "The CVSS base score of 8.7 indicates high severity, yet the EPSS probability is below 1\u202f% and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker first obtain legitimate credentials with upload privileges, after which they can upload a crafted SVG that bypasses sanitization. The impact is limited to users who view the malicious asset, but the potential for wide spread remains if many users consume the file."}}}}, "created": "2026-03-23T09:52:33.935182+00:00", "updated": "2026-03-25T14:34:27.962692+00:00", "vendors": ["statamic", "statamic$PRODUCT$cms"]}