CVE-2026-33172: Statamic has Stored XSS via SVG Sanitization Bypass

March 18, 2026

Stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed.

References

github.com/advisories/GHSA-7rcv-55mj-chg7
github.com/statamic/cms
github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7
nvd.nist.gov/vuln/detail/CVE-2026-33172

Code Behaviors & Features

Detect and mitigate CVE-2026-33172 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →