📄 Description (English)
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.
🤖 AI Executive Summary
Statamic CMS versions prior to 5.73.11 and 6.4.0 contain a stored XSS vulnerability in SVG and icon components that allows authenticated users to inject malicious JavaScript executable by higher-privileged users. With a CVSS score of 8.7, this vulnerability poses significant risk to organizations using Statamic for content management, particularly those with multi-tier user hierarchies. Immediate patching is critical to prevent privilege escalation and unauthorized actions by attackers with lower-level access.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 21:19
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using Statamic CMS for content management—particularly government agencies, educational institutions, and media companies—face significant risk. Government entities under NCA oversight and SAMA-regulated financial institutions using Statamic for customer-facing portals are especially vulnerable. The vulnerability enables privilege escalation attacks where lower-level content editors can compromise administrator accounts, potentially leading to unauthorized access to sensitive data, system manipulation, and compliance violations. Media and publishing sectors in Saudi Arabia relying on Statamic for digital content distribution face reputational and operational risks.
🏢 Affected Saudi Sectors
Government
Education
Media and Publishing
Financial Services
Healthcare
Telecommunications
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Statamic installations in your environment and document current versions
2. Restrict access to SVG and icon upload/management features until patching is complete
3. Review user access logs for suspicious SVG/icon uploads or modifications in the past 90 days
4. Audit all SVG and icon files currently stored in Statamic for malicious content
PATCHING GUIDANCE:
1. Upgrade Statamic to version 5.73.11 or 6.4.0 or later immediately
2. Test patches in non-production environments first
3. Implement staged rollout to production systems
4. Verify SVG rendering functionality post-patch
COMPENSATING CONTROLS (if immediate patching delayed):
1. Implement Content Security Policy (CSP) headers to restrict inline script execution
2. Disable SVG upload functionality at the application level if not critical
3. Implement strict input validation and sanitization for SVG content
4. Enforce principle of least privilege—limit SVG/icon management to trusted administrators only
5. Enable detailed audit logging for all SVG/icon-related activities
DETECTION RULES:
1. Monitor for SVG files containing <script> tags or event handlers (onload, onerror, etc.)
2. Alert on SVG uploads from non-administrative accounts
3. Track modifications to SVG/icon components by lower-privileged users
4. Monitor for unusual JavaScript execution patterns in admin dashboards
5. Log and alert on any XSS-related WAF triggers related to SVG parameters
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع تثبيتات Statamic في بيئتك وقثق الإصدارات الحالية
2. قيد الوصول إلى ميزات تحميل وإدارة SVG والرموز حتى اكتمال التصحيح
3. راجع سجلات الوصول للمستخدمين بحثاً عن عمليات تحميل أو تعديلات SVG مريبة في آخر 90 يوماً
4. تدقيق جميع ملفات SVG والرموز المخزنة حالياً في Statamic بحثاً عن محتوى ضار
إرشادات التصحيح:
1. قم بترقية Statamic إلى الإصدار 5.73.11 أو 6.4.0 أو أحدث على الفور
2. اختبر التصحيحات في بيئات غير الإنتاج أولاً
3. تنفيذ طرح مرحلي لأنظمة الإنتاج
4. تحقق من وظيفة عرض SVG بعد التصحيح
الضوابط البديلة (إذا تأخر التصحيح الفوري):
1. تنفيذ رؤوس سياسة أمان المحتوى (CSP) لتقييد تنفيذ البرامج النصية المضمنة
2. تعطيل وظيفة تحميل SVG على مستوى التطبيق إذا لم تكن حرجة
3. تنفيذ التحقق من الصحة والتطهير الصارم لمحتوى SVG
4. فرض مبدأ أقل امتياز—قيد إدارة SVG والرموز للمسؤولين الموثوقين فقط
5. تفعيل تسجيل التدقيق التفصيلي لجميع الأنشطة المتعلقة بـ SVG والرموز
قواعد الكشف:
1. مراقبة ملفات SVG التي تحتوي على علامات <script> أو معالجات الأحداث (onload, onerror, إلخ)
2. تنبيه عند تحميل SVG من حسابات غير إدارية
3. تتبع التعديلات على مكونات SVG والرموز من قبل المستخدمين ذوي الامتيازات المنخفضة
4. مراقبة أنماط تنفيذ JavaScript غير العادية في لوحات المسؤولين
5. تسجيل والتنبيه على أي محفزات WAF المتعلقة بـ XSS المتعلقة بمعاملات SVG
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
5.1.1 - Access Control and Authentication
5.2.1 - Input Validation and Output Encoding
5.3.2 - Security Testing and Vulnerability Management
5.4.1 - Incident Detection and Response
🔵 SAMA CSF
ID.BE-1 - Governance and Risk Management
PR.AC-1 - Access Control
PR.DS-2 - Data Security
DE.CM-1 - Detection and Analysis
🟡 ISO 27001:2022
A.5.15 - Access Control
A.5.16 - Cryptography
A.8.22 - Monitoring
A.12.6.1 - Management of Technical Vulnerabilities
🟣 PCI DSS v4.0.1
6.5.1 - Injection flaws
6.5.7 - Cross-site scripting (XSS)
11.2 - Vulnerability scanning
🔗 References & Sources 3
🔗
https://github.com/statamic/cms/releases/tag/v5.73.11
security-advisories@github.com
Release Notes
🔗
https://github.com/statamic/cms/releases/tag/v6.4.0
security-advisories@github.com
Release Notes
🔗
https://github.com/statamic/cms/security/advisories/GHSA-5vrj-wf7v-5wr7
security-advisories@github.com
Patch
Vendor Advisory
📦 Affected Products / CPE 2 entries
statamic:statamic
statamic:statamic