CVE-2026-28426:
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.
Score
A numerical rating that indicates how dangerous this vulnerability is.
5.4Medium- Published Date:Feb 27, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.0
- EPSS Percentile:1%
Exploitability
- Score:2.3
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:LOW
- User Interaction:REQUIRED
- Scope:CHANGED
Impact
- Score:2.7
- Confidentiality Impact:LOW
- Integrity Impact:LOW
- Availability Impact:NONE
Description Preview
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
