Statamic stored XSS via SVG reupload (CVE-2026-33172)

Overview

A high-severity stored cross-site scripting (XSS) vulnerability has been identified in the Statamic content management system. Tracked as CVE-2026-33172, this flaw allows authenticated users with permission to upload assets to bypass security controls and inject malicious code into the system.

Vulnerability Details

Statamic is a popular CMS built on Laravel. The vulnerability existed in the feature that handles the re-uploading of SVG (Scalable Vector Graphics) asset files. Normally, SVG files are sanitized to remove any potentially harmful scripts. However, a flaw in versions prior to 5.73.14 and 6.7.0 allowed this sanitization process to be bypassed during a re-upload.

An attacker with a standard user account and asset upload permissions could upload a malicious SVG file containing JavaScript. When another user, such as an administrator or a site visitor, views this asset in the control panel or on the front-end website, the embedded script automatically executes in their browser.

Potential Impact

This is a stored XSS attack, meaning the malicious payload is permanently saved on the server and impacts every user who accesses the tainted file. The consequences can be severe:

• Session Hijacking: An attacker could steal session cookies and impersonate administrators or other users.
• Defacement: Malicious scripts could alter website content visible to all visitors.
• Malware Distribution: The vulnerability could be used to redirect users to malicious sites or deliver malware.
• Data Theft: Scripts could capture keystrokes or sensitive data entered by users on the site.

Given that exploitation requires only a low-privilege authenticated account, this vulnerability significantly increases the risk of insider threats or attacks stemming from compromised user credentials. For context on how stolen credentials can lead to such breaches, you can review historical incidents in our breach reports.

Remediation and Mitigation

The Statamic development team has released patched versions that fully address this vulnerability.

Primary Action - Immediate Update:

• If you are using Statamic version 5.x, update to version 5.73.14 or later.
• If you are using Statamic version 6.x, update to version 6.7.0 or later.

Additional Security Measures:

1. Principle of Least Privilege: Regularly audit user accounts and ensure that asset upload permissions are granted only to users who absolutely require them.
2. Input Validation: While the patch fixes this specific bypass, maintain a defense-in-depth posture by treating all user uploads as untrusted.
3. Monitor Activity: Keep an eye on audit logs for unusual asset upload or modification activity, especially concerning SVG files.

After applying the update, it is good practice to review recently uploaded SVG assets for any suspicious content. For the latest updates on vulnerabilities like this one, follow our security news section.

This fix is straightforward to apply via Composer and is the most effective step to protect your Statamic installation from potential exploitation.