AIKIDO-2026-10304
statamic/cms is vulnerable to Cross-Site Scripting (XSS)
68
Medium Risk
This Affects:
statamic/cmsTL;DR
Affected versions of this package improperly rendered user-controlled content directly into the DOM using mechanisms such as v-html, innerHTML, and unsanitized HTML returned by marked, enabling the injection of arbitrary HTML or JavaScript. Without proper sanitization or escaping, attacker-supplied input could be interpreted as executable markup instead of plain text. An attacker could exploit this by injecting malicious payloads (e.g., <script> tags, event handlers, or crafted HTML) into fields rendered by these components, leading to Cross-Site Scripting (XSS) that executes in the victim's browser, allowing session theft, credential harvesting, or arbitrary actions on behalf of the user.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
statamic/cms is vulnerable to Cross-Site Scripting (XSS) in versions 6.0.0 - 6.3.2 and 5.0.0 - 5.73.9.
How to fix this
Upgrade the statamic/cms library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant