Statamic stored XSS via SVG reupload (CVE-2026-33172)

Vendor-confirmed - CVE-2026-33172 is a high stored XSS in Statamic versions prior to 5.73.14 and 6.7.0 that lets authenticated users steal session cookies and execute arbitrary JavaScript in admin browsers. Update immediately to block this attack vector.

Overview

A high-severity stored cross-site scripting (XSS) vulnerability has been identified in the Statamic content management system. Tracked as CVE-2026-33172, this flaw allows authenticated users with permission to upload assets to bypass security controls and inject malicious code into the system.

Vulnerability Details

Statamic is a popular CMS built on Laravel. The vulnerability existed in the feature that handles the re-uploading of SVG (Scalable Vector Graphics) asset files. Normally, SVG files are sanitized to remove any potentially harmful scripts. However, a flaw in versions prior to 5.73.14 and 6.7.0 allowed this sanitization process to be bypassed during a re-upload.

An attacker with a standard user account and asset upload permissions could upload a malicious SVG file containing JavaScript. When another user, such as an administrator or a site visitor, views this asset in the control panel or on the front-end website, the embedded script automatically executes in their browser.

Potential Impact

This is a stored XSS attack, meaning the malicious payload is permanently saved on the server and impacts every user who accesses the tainted file. The consequences can be severe:

• Session Hijacking: An attacker could steal session cookies and impersonate administrators or other users.
• Defacement: Malicious scripts could alter website content visible to all visitors.
• Malware Distribution: The vulnerability could be used to redirect users to malicious sites or deliver malware.
• Data Theft: Scripts could capture keystrokes or sensitive data entered by users on the site.

Given that exploitation requires only a low-privilege authenticated account, this vulnerability significantly increases the risk of insider threats or attacks stemming from compromised user credentials. For context on how stolen credentials can lead to such breaches, you can review historical incidents in our breach reports.

Remediation and Mitigation

The Statamic development team has released patched versions that fully address this vulnerability.

Primary Action - Immediate Update:

• If you are using Statamic version 5.x, update to version 5.73.14 or later.
• If you are using Statamic version 6.x, update to version 6.7.0 or later.

Additional Security Measures:

1. Principle of Least Privilege: Regularly audit user accounts and ensure that asset upload permissions are granted only to users who absolutely require them.
2. Input Validation: While the patch fixes this specific bypass, maintain a defense-in-depth posture by treating all user uploads as untrusted.
3. Monitor Activity: Keep an eye on audit logs for unusual asset upload or modification activity, especially concerning SVG files.

After applying the update, it is good practice to review recently uploaded SVG assets for any suspicious content. For the latest updates on vulnerabilities like this one, follow our security news section.

This fix is straightforward to apply via Composer and is the most effective step to protect your Statamic installation from potential exploitation.

Update - May 2026

No patch changes since the original disclosure; Statamic v5.73.14 and v6.7.0 remain the fixed versions. CISA has not added CVE-2026-33172 to the Known Exploited Vulnerabilities catalog as of mid-May. The EPSS score holds steady at 0.0001 (2nd percentile), indicating minimal broad scanning activity, but this low probability should not lower vigilance given the authenticated attack vector.

No related CVEs within the Statamic family have been published, but the same stored XSS pattern via SVG reuploads continues to appear across other CMS platforms (e.g., CVE-2026-41233 targeting Craft CMS’s asset handling). Defenders should treat this as part of a wider attack trend against rich-media upload pipelines.

No confirmed real-world exploitation reports have surfaced publicly, though a generic detection signature for svg uploads containing <script> or on* event handlers in file re-upload HTTP requests is now included in certain open IDS rulesets. Apply this signature proactively.

Recommended actions: Immediately verify all Statamic instances are upgraded to v5.73.14+ or v6.7.0+. Restrict asset-upload permissions to only trusted roles, and disable SVG uploads entirely if not business-critical. Monitor access logs for anomalous reupload patterns by authenticated users.