CVE-2026-28425: Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with ...

Description

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.16 and 6.7.2. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version.

Metrics

CVSS 3.1

8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Probability

0.43%

34.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-94

Affected Software

Vendor	Product	Versions
Statamic	Statamic	< 5.73.11
Statamic	Statamic	>= 6.0.0, < 6.4.0

References

https://github.com/statamic/cms/releases/tag/v5.73.11Release Notes
https://github.com/statamic/cms/releases/tag/v6.4.0Release Notes
https://github.com/statamic/cms/security/advisories/GHSA-cpv7-q2wx-m8rwPatch, Vendor Advisory

Timeline

Published: Feb 27, 2026
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2026-28425?

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.16 and 6.7.2. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version.

How severe is CVE-2026-28425?

CVE-2026-28425 has a CVSS score of 8/10 (HIGH severity). The EPSS model estimates a 0.43% probability of exploitation in the next 30 days.

How do I fix CVE-2026-28425?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.