CVE-2026-27196

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-27196

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27196.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-27196

Aliases

GHSA-8r7r-f4gm-wcpq

Published

2026-02-21T04:30:05.184Z

Modified

2026-03-03T02:56:23.228092Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Summary

Statamic affected by privilege escalation via stored Cross-site Scripting

Details

Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This issue has been fixed in 6.3.2 and 5.73.9.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27196.json"
}

References

Affected packages

Git / github.com/statamic/cms

Affected ranges

Type

GIT

Repo

https://github.com/statamic/cms

Events

Introduced

1025dbc537fdb606c73209ab54d865b345d241d4

Fixed

580697d3fb583ed2386d17eab54faff9686c09f4

Database specific

{
    "versions": [
        {
            "introduced": "6.0.0-alpha.1"
        },
        {
            "fixed": "6.3.2"
        }
    ]
}

Type

GIT

Repo

https://github.com/statamic/cms

Events

Introduced

Fixed

1171faaf2ffd6abfca2befd51814f99b7e057dc2

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.73.9"
        }
    ]
}

Affected versions

v3.*

v3.0.0

v3.0.0-beta.1

v3.0.0-beta.10

v3.0.0-beta.11

v3.0.0-beta.12

v3.0.0-beta.13

v3.0.0-beta.14

v3.0.0-beta.15

v3.0.0-beta.16

v3.0.0-beta.17

v3.0.0-beta.18

v3.0.0-beta.19

v3.0.0-beta.2

v3.0.0-beta.20

v3.0.0-beta.21

v3.0.0-beta.22

v3.0.0-beta.23

v3.0.0-beta.24

v3.0.0-beta.25

v3.0.0-beta.26

v3.0.0-beta.27

v3.0.0-beta.28

v3.0.0-beta.29

v3.0.0-beta.3

v3.0.0-beta.30

v3.0.0-beta.31

v3.0.0-beta.32

v3.0.0-beta.33

v3.0.0-beta.34

v3.0.0-beta.35

v3.0.0-beta.36

v3.0.0-beta.37

v3.0.0-beta.38

v3.0.0-beta.39

v3.0.0-beta.4

v3.0.0-beta.40

v3.0.0-beta.41

v3.0.0-beta.42

v3.0.0-beta.43

v3.0.0-beta.44

v3.0.0-beta.45

v3.0.0-beta.46

v3.0.0-beta.5

v3.0.0-beta.6

v3.0.0-beta.7

v3.0.0-beta.8

v3.0.0-beta.9

v3.0.1

v3.0.10

v3.0.11

v3.0.12

v3.0.13

v3.0.14

v3.0.15

v3.0.16

v3.0.17

v3.0.18

v3.0.19

v3.0.2

v3.0.20

v3.0.21

v3.0.22

v3.0.23

v3.0.24

v3.0.25

v3.0.26

v3.0.27

v3.0.28

v3.0.29

v3.0.3

v3.0.30

v3.0.31

v3.0.32

v3.0.33

v3.0.34

v3.0.35

v3.0.36

v3.0.37

v3.0.38

v3.0.39

v3.0.4

v3.0.40

v3.0.41

v3.0.42

v3.0.43

v3.0.44

v3.0.45

v3.0.46

v3.0.47

v3.0.48

v3.0.49

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

v3.1.0

v3.1.0-alpha.1

v3.1.0-alpha.2

v3.1.0-alpha.3

v3.1.0-alpha.4

v3.1.0-beta.1

v3.1.0-beta.2

v3.1.0-beta.3

v3.1.1

v3.1.10

v3.1.11

v3.1.12

v3.1.13

v3.1.14

v3.1.15

v3.1.16

v3.1.17

v3.1.18

v3.1.19

v3.1.2

v3.1.20

v3.1.21

v3.1.22

v3.1.23

v3.1.24

v3.1.25

v3.1.26

v3.1.27

v3.1.28

v3.1.29

v3.1.3

v3.1.30

v3.1.31

v3.1.32

v3.1.33

v3.1.34

v3.1.35

v3.1.4

v3.1.5

v3.1.6

v3.1.7

v3.1.8

v3.1.9

v3.2.0

v3.2.0-beta.1

v3.2.1

v3.2.10

v3.2.11

v3.2.12

v3.2.13

v3.2.14

v3.2.15

v3.2.16

v3.2.17

v3.2.18

v3.2.19

v3.2.2

v3.2.20

v3.2.21

v3.2.22

v3.2.23

v3.2.24

v3.2.25

v3.2.26

v3.2.27

v3.2.28

v3.2.29

v3.2.3

v3.2.30

v3.2.31

v3.2.32

v3.2.33

v3.2.34

v3.2.35

v3.2.36

v3.2.37

v3.2.38

v3.2.4

v3.2.5

v3.2.6

v3.2.7

v3.2.8

v3.2.9

v3.3.0

v3.3.0-beta.1

v3.3.0-beta.2

v3.3.0-beta.3

v3.3.0-beta.4

v3.3.0-beta.5

v3.3.0-beta.6

v3.3.0-beta.7

v3.3.1

v3.3.10

v3.3.11

v3.3.12

v3.3.13

v3.3.14

v3.3.15

v3.3.16

v3.3.17

v3.3.18

v3.3.19

v3.3.2

v3.3.20

v3.3.21

v3.3.22

v3.3.23

v3.3.24

v3.3.25

v3.3.26

v3.3.27

v3.3.28

v3.3.29

v3.3.3

v3.3.30

v3.3.31

v3.3.32

v3.3.33

v3.3.34

v3.3.35

v3.3.36

v3.3.37

v3.3.38

v3.3.39

v3.3.4

v3.3.40

v3.3.41

v3.3.42

v3.3.43

v3.3.44

v3.3.45

v3.3.46

v3.3.47

v3.3.48

v3.3.49

v3.3.5

v3.3.50

v3.3.51

v3.3.52

v3.3.53

v3.3.54

v3.3.55

v3.3.56

v3.3.57

v3.3.58

v3.3.59

v3.3.6

v3.3.60

v3.3.61

v3.3.62

v3.3.63

v3.3.64

v3.3.65

v3.3.66

v3.3.7

v3.3.8

v3.3.9

v3.4.0

v3.4.1

v3.4.10

v3.4.11

v3.4.2

v3.4.3

v3.4.4

v3.4.5

v3.4.6

v3.4.7

v3.4.8

v3.4.9

v4.*

v4.0.0

v4.0.0-alpha.1

v4.0.0-alpha.2

v4.0.0-alpha.3

v4.0.0-alpha.4

v4.0.0-alpha.5

v4.0.0-beta.1

v4.0.0-beta.2

v4.0.0-beta.3

v4.0.0-beta.4

v4.1.0

v4.1.1

v4.1.2

v4.1.3

v4.10.0

v4.10.1

v4.10.2

v4.11.0

v4.12.0

v4.13.0

v4.13.1

v4.13.2

v4.14.0

v4.15.0

v4.16.0

v4.17.0

v4.18.0

v4.19.0

v4.2.0

v4.20.0

v4.21.0

v4.22.0

v4.23.0

v4.23.1

v4.23.2

v4.24.0

v4.25.0

v4.26.0

v4.26.1

v4.27.0

v4.28.0

v4.29.0

v4.3.0

v4.30.0

v4.31.0

v4.32.0

v4.33.0

v4.34.0

v4.35.0

v4.36.0

v4.37.0

v4.38.0

v4.39.0

v4.4.0

v4.40.0

v4.41.0

v4.42.0

v4.42.1

v4.43.0

v4.44.0

v4.45.0

v4.46.0

v4.47.0

v4.48.0

v4.49.0

v4.5.0

v4.50.0

v4.51.0

v4.52.0

v4.53.0

v4.53.1

v4.53.2

v4.54.0

v4.55.0

v4.56.0

v4.56.1

v4.57.0

v4.57.1

v4.57.2

v4.57.3

v4.58.0

v4.58.1

v4.58.2

v4.6.0

v4.7.0

v4.8.0

v4.9.0

v4.9.1

v4.9.2

v5.*

v5.0.0

v5.0.0-alpha.1

v5.0.0-alpha.2

v5.0.0-alpha.3

v5.0.0-alpha.4

v5.0.0-alpha.5

v5.0.0-alpha.6

v5.0.0-beta.1

v5.0.0-beta.2

v5.0.0-beta.3

v5.0.0-beta.4

v5.0.1

v5.0.2

v5.1.0

v5.10.0

v5.11.0

v5.12.0

v5.13.0

v5.14.0

v5.15.0

v5.16.0

v5.17.0

v5.17.1

v5.18.0

v5.19.0

v5.2.0

v5.20.0

v5.21.0

v5.22.0

v5.22.1

v5.23.0

v5.24.0

v5.25.0

v5.26.0

v5.27.0

v5.28.0

v5.29.0

v5.3.0

v5.30.0

v5.31.0

v5.32.0

v5.33.0

v5.33.1

v5.34.0

v5.35.0

v5.36.0

v5.37.0

v5.38.0

v5.38.1

v5.39.0

v5.4.0

v5.40.0

v5.41.0

v5.42.0

v5.42.1

v5.43.0

v5.43.1

v5.43.2

v5.44.0

v5.45.0

v5.45.1

v5.45.2

v5.46.0

v5.46.1

v5.47.0

v5.48.0

v5.48.1

v5.49.0

v5.49.1

v5.5.0

v5.50.0

v5.51.0

v5.52.0

v5.53.0

v5.53.1

v5.54.0

v5.55.0

v5.56.0

v5.57.0

v5.58.0

v5.58.1

v5.59.0

v5.6.0

v5.6.1

v5.6.2

v5.60.0

v5.61.0

v5.62.0

v5.63.0

v5.64.0

v5.65.0

v5.65.1

v5.65.2

v5.66.0

v5.67.0

v5.68.0

v5.69.0

v5.7.0

v5.7.1

v5.7.2

v5.7.3

v5.70.0

v5.71.0

v5.72.0

v5.73.0

v5.73.1

v5.73.2

v5.73.3

v5.73.4

v5.73.5

v5.73.6

v5.73.7

v5.73.8

v5.8.0

v5.9.0

v6.*

v6.0.0

v6.0.0-alpha.1

v6.0.0-alpha.10

v6.0.0-alpha.11

v6.0.0-alpha.12

v6.0.0-alpha.13

v6.0.0-alpha.14

v6.0.0-alpha.15

v6.0.0-alpha.16

v6.0.0-alpha.17

v6.0.0-alpha.18

v6.0.0-alpha.19

v6.0.0-alpha.2

v6.0.0-alpha.20

v6.0.0-alpha.21

v6.0.0-alpha.3

v6.0.0-alpha.4

v6.0.0-alpha.5

v6.0.0-alpha.6

v6.0.0-alpha.7

v6.0.0-alpha.8

v6.0.0-alpha.9

v6.0.0-beta.1

v6.0.0-beta.2

v6.0.0-beta.3

v6.0.0-beta.4

v6.0.0-beta.5

v6.0.0-beta.6

v6.1.0

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.2.4

v6.2.5

v6.3.0

v6.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27196.json"