CVE-2026-28425

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-28425
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28425.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-28425
Aliases
Published
2026-02-27T22:20:39.735Z
Modified
2026-04-10T05:41:06.652381Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs
Details

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.16 and 6.7.2. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version.

Database specific 
{
    "cwe_ids": [
        "CWE-94"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28425.json"
}
References

Affected packages

Git / github.com/statamic/cms

Affected ranges

Type
GIT
Repo
https://github.com/statamic/cms
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
291a660355d8a20a8c49537dcc92bab2ba7e6eb1
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.73.16"
        }
    ]
}
Type
GIT
Repo
https://github.com/statamic/cms
Events
Introduced
d1bb31cfa1191226cee2a2d1e17aa4c25541e568
Fixed
0b45b8a5c1537e83a4252d3f7681f2e9572653b0
Database specific 
{
    "versions": [
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.7.2"
        }
    ]
}

Affected versions

v3.*
v3.0.0
v3.0.0-beta.15
v3.0.0-beta.16
v3.0.0-beta.17
v3.0.0-beta.25
v3.0.0-beta.26
v3.0.0-beta.27
v3.0.0-beta.28
v3.0.0-beta.29
v3.0.0-beta.30
v3.0.0-beta.31
v3.0.0-beta.32
v3.0.0-beta.33
v3.0.0-beta.34
v3.0.0-beta.35
v3.0.0-beta.36
v3.0.0-beta.37
v3.0.0-beta.38
v3.0.0-beta.39
v3.0.0-beta.40
v3.0.0-beta.41
v3.0.0-beta.42
v3.0.0-beta.43
v3.0.0-beta.44
v3.0.0-beta.45
v3.0.0-beta.46
v3.0.1
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.15
v3.0.16
v3.0.17
v3.0.18
v3.0.19
v3.0.2
v3.0.20
v3.0.21
v3.0.22
v3.0.23
v3.0.24
v3.0.25
v3.0.26
v3.0.27
v3.0.28
v3.0.29
v3.0.3
v3.0.30
v3.0.31
v3.0.32
v3.0.33
v3.0.34
v3.0.35
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.1.0
v3.1.0-alpha.1
v3.1.0-alpha.2
v3.1.0-alpha.3
v3.1.0-alpha.4
v3.1.0-beta.1
v3.1.0-beta.2
v3.1.0-beta.3
v3.2.0
v3.2.0-beta.1
v3.2.1
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.2.15
v3.2.16
v3.2.17
v3.2.18
v3.2.19
v3.2.2
v3.2.20
v3.2.21
v3.2.22
v3.2.23
v3.2.24
v3.2.25
v3.2.26
v3.2.27
v3.2.28
v3.2.29
v3.2.3
v3.2.30
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0
v3.3.0-beta.1
v3.3.0-beta.2
v3.3.0-beta.3
v3.3.0-beta.4
v3.3.0-beta.5
v3.3.0-beta.6
v3.3.0-beta.7
v3.3.1
v3.3.10
v3.3.11
v3.3.12
v3.3.13
v3.3.14
v3.3.15
v3.3.16
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.4.0
v3.4.1
v3.4.2
v4.*
v4.0.0
v4.0.0-alpha.1
v4.0.0-alpha.2
v4.0.0-alpha.3
v4.0.0-alpha.4
v4.0.0-alpha.5
v4.0.0-beta.1
v4.0.0-beta.2
v4.0.0-beta.3
v4.0.0-beta.4
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.10.0
v4.10.1
v4.10.2
v4.11.0
v4.12.0
v4.13.0
v4.13.1
v4.13.2
v4.14.0
v4.15.0
v4.16.0
v4.17.0
v4.18.0
v4.19.0
v4.2.0
v4.20.0
v4.21.0
v4.22.0
v4.23.0
v4.23.1
v4.23.2
v4.24.0
v4.25.0
v4.26.0
v4.26.1
v4.27.0
v4.28.0
v4.29.0
v4.3.0
v4.30.0
v4.31.0
v4.32.0
v4.33.0
v4.34.0
v4.35.0
v4.36.0
v4.37.0
v4.38.0
v4.39.0
v4.4.0
v4.40.0
v4.41.0
v4.42.0
v4.42.1
v4.43.0
v4.44.0
v4.45.0
v4.46.0
v4.47.0
v4.5.0
v4.6.0
v4.7.0
v4.8.0
v4.9.0
v4.9.1
v4.9.2
v5.*
v5.0.0
v5.0.0-alpha.1
v5.0.0-alpha.2
v5.0.0-alpha.3
v5.0.0-alpha.4
v5.0.0-alpha.5
v5.0.0-alpha.6
v5.0.0-beta.1
v5.0.0-beta.2
v5.0.0-beta.3
v5.0.0-beta.4
v5.0.1
v5.0.2
v5.1.0
v5.10.0
v5.11.0
v5.12.0
v5.13.0
v5.14.0
v5.15.0
v5.16.0
v5.17.0
v5.17.1
v5.18.0
v5.19.0
v5.2.0
v5.20.0
v5.21.0
v5.22.0
v5.22.1
v5.23.0
v5.24.0
v5.25.0
v5.26.0
v5.27.0
v5.28.0
v5.29.0
v5.3.0
v5.30.0
v5.31.0
v5.32.0
v5.33.0
v5.33.1
v5.34.0
v5.35.0
v5.36.0
v5.37.0
v5.38.0
v5.38.1
v5.39.0
v5.4.0
v5.40.0
v5.41.0
v5.42.0
v5.42.1
v5.43.0
v5.43.1
v5.43.2
v5.44.0
v5.45.0
v5.45.1
v5.45.2
v5.46.0
v5.46.1
v5.47.0
v5.48.0
v5.48.1
v5.49.0
v5.49.1
v5.5.0
v5.50.0
v5.51.0
v5.52.0
v5.53.0
v5.53.1
v5.54.0
v5.55.0
v5.56.0
v5.57.0
v5.58.0
v5.58.1
v5.59.0
v5.6.0
v5.6.1
v5.6.2
v5.60.0
v5.61.0
v5.62.0
v5.63.0
v5.64.0
v5.65.0
v5.65.1
v5.65.2
v5.66.0
v5.67.0
v5.68.0
v5.69.0
v5.7.0
v5.7.1
v5.7.2
v5.7.3
v5.70.0
v5.71.0
v5.72.0
v5.73.0
v5.73.1
v5.73.10
v5.73.11
v5.73.12
v5.73.13
v5.73.14
v5.73.15
v5.73.2
v5.73.3
v5.73.4
v5.73.5
v5.73.6
v5.73.7
v5.73.8
v5.73.9
v5.8.0
v5.9.0
v6.*
v6.0.0
v6.1.0
v6.2.0
v6.2.1
v6.2.2
v6.2.3
v6.2.4
v6.2.5
v6.3.0
v6.3.1
v6.3.2
v6.3.3
v6.4.0
v6.4.1
v6.5.0
v6.6.0
v6.6.1
v6.6.2
v6.6.3
v6.7.0
v6.7.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28425.json"