CVE-2026-28425

HIGH EPSS 34.3%
Published Feb 27, 20264mo ago · Modified Mar 25, 20263mo ago
8.0 CVSS 3.1
High
Find Similar
Published Feb 27, 2026 4mo ago
Last Modified Mar 25, 2026 3mo ago

Description

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.16 and 6.7.2. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version.

CVSS Details

Base Score
8.0
Exploitability
2.1
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
34.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-94 Improper Control of Generation of Code (Code Injection) Injection

Affected Products 2

VendorProductVersionRange
statamicstatamic* <5.73.11
statamicstatamic*≥6.0.0  –  <6.4.0

References 3

  • github.com https://github.com/statamic/cms/releases/tag/v5.73.11
    Release Notes
  • github.com https://github.com/statamic/cms/releases/tag/v6.4.0
    Release Notes
  • github.com https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw
    PatchVendor Advisory

Remediation

  • github.com https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rw
    PatchVendor Advisory