Statamic, Privilege Escalation via Stored Cross-Site Scripting, CVE-2026-32612 (Moderate)

Listen to this Post

This CVE details a stored Cross-Site Scripting (XSS) vulnerability found in the Statamic CMS control panel, specifically within the color mode preference functionality . An authenticated user with access to the control panel can inject malicious JavaScript code into this preference field. Because the input is not properly sanitized before being stored, the payload is saved on the server. The attack is triggered when a higher-privileged user, such as an administrator, performs an “impersonation” action to log in as the lower-privileged user who planted the payload . Upon the higher-privileged user’s session loading the malicious script in the context of the control panel, the script can execute arbitrary actions, effectively allowing the lower-privileged user to escalate their privileges to match those of the higher-privileged user . This vulnerability stems from improper neutralization of input during web page generation (CWE-79) . The issue has been addressed and patched in Statamic version 6.6.2 .

DailyCVE Form:

Platform: Statamic
Version: Prior to 6.6.2
Vulnerability : Stored XSS
Severity: Medium (CVSS 5.4)
date: March 12, 2026

Prediction: Patch already released (2026-03-13)

What Undercode Say:

Analytics:

The vulnerability is specific to the control panel’s color mode toggling feature. It requires an authenticated user, meaning the attacker must already have a valid account with access to the Statamic control panel. The exploit’s success hinges on social engineering or administrative action, specifically the act of a higher-privileged user impersonating the attacker’s account. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) highlights that while the attack is over the network and has low complexity, it requires user interaction (the admin clicking “impersonate”) and results in a scope change, allowing the attacker to potentially impact resources beyond their original permissions .

Exploit:

An attacker with basic control panel access would perform the following steps:
1. Navigate to their user profile or settings page where the color mode preference is stored.
2. Instead of a standard value like “dark” or “light”, they inject a malicious script. The exact input field for the color mode preference is the injection point.
3. Save the changes. The payload is now stored on the server.
4. Wait for an administrator to impersonate their account. When the admin does this, the script executes in the admin’s browser session.
5. The script can then perform actions on behalf of the admin, such as creating a new super admin account or modifying existing permissions.
A sample proof-of-concept payload for the color mode field could be:

dark"><script>fetch('/cp/users', {credentials:'include'}).then(...);</script>

Protection from this CVE:

The primary and recommended form of protection is to update the Statamic CMS to the patched version.
– Update: Upgrade to version 6.6.2 or later immediately .
– Input Validation: As a defense-in-depth measure, ensure that all user-supplied input, especially in control panel settings, is properly sanitized and validated on the server-side.
– Principle of Least Privilege: Regularly audit user accounts and permissions. Limit the number of users with control panel access, particularly those with lower privileges who could be compromised to launch this attack.
– Content Security Policy (CSP): Implement a strong CSP header to mitigate the impact of XSS by restricting the sources from which scripts can be loaded and executed.

Impact:

Successful exploitation of this vulnerability allows an attacker to perform a privilege escalation attack. A user with limited, low-privilege access can execute arbitrary JavaScript in the context of a higher-privileged user’s browser. This can lead to unauthorized actions within the CMS, including:
– Account Takeover: Full compromise of higher-privileged user accounts.
– Data Breach: Access to sensitive content and configuration data intended only for administrators.
– Site Defacement: Unauthorized modification of website content.
– Persistence: Creation of new administrative accounts for long-term unauthorized access.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top