CVE-2026-33172

HIGH8.7EPSS 0.01%

Statamic has Stored XSS via SVG Sanitization Bypass

發布日:2026/3/18修改日:2026/3/25

描述

### Impact Stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. ### Patches This has been fixed in 5.73.14 and 6.7.0.

受影響套件(1)

Packagist/statamic/cms>= 6.0.0-alpha.1, < 6.7.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-33172
PATCHhttps://github.com/statamic/cms
WEBhttps://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7