CVE-2026-28425:

Remote code execution vulnerability in Statamic CMS affecting authenticated users with access to Antlers-enabled inputs.

Score
A numerical rating that indicates how dangerous this vulnerability is.

8.0High

Published Date:Feb 27, 2026
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:0.2
EPSS Percentile:37%

Exploitability

Score:2.1
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:LOW
User Interaction:REQUIRED
Scope:UNCHANGED

Impact

Score:5.9
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:HIGH

Description Preview

Remote code execution vulnerability in Statamic CMS affecting authenticated users with access to Antlers-enabled inputs.

Overview

The vulnerability exists in Statamic CMS where Antlers runs on user-controlled content. Exploitation is possible in scenarios such as content fields with Antlers explicitly enabled, built-in configurations supporting Antlers (e.g., Forms email notification settings), or third-party addons that add Antlers-enabled fields to entries. In each case, the attacker must have relevant control panel permissions. The vulnerability has a CVSS v3.1 base score of 8.0 (High), requiring network access, low attack complexity, low privileges, and user interaction. It can potentially impact confidentiality, integrity, and availability of the system.

Remediation

To address this vulnerability, users should update Statamic to version 5.73.16 or 6.7.2, depending on their current major version. It is crucial for users of addons that depend on Statamic to ensure they are running a patched Statamic version after updating. Additionally, organizations should review and limit control panel permissions, especially those related to Antlers-enabled inputs, to minimize potential attack surfaces.