CVE-2026-27196: Statamic affected by privilege escalation via stored cross-site scripting
(updated )
Stored XSS vulnerability in html fieldtypes allow authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.
References
- github.com/advisories/GHSA-8r7r-f4gm-wcpq
- github.com/statamic/cms
- github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b
- github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3
- github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq
- nvd.nist.gov/vuln/detail/CVE-2026-27196
Code Behaviors & Features
Detect and mitigate CVE-2026-27196 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →