CVE-2026-32612

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-32612

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-32612.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-32612

Aliases

GHSA-hcch-w73c-jp4m

Published

2026-03-12T21:47:21.697Z

Modified

2026-03-14T21:48:33.176823Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Statamic: privilege escalation via stored cross-site scripting

Details

Statamic is a Laravel and Git powered content management system (CMS). Prior to 6.6.2, stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account. This has been fixed in 6.6.2.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32612.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/statamic/cms

Affected ranges

Type

GIT

Repo

https://github.com/statamic/cms

Events

Introduced

d1bb31cfa1191226cee2a2d1e17aa4c25541e568

Fixed

777bdf554a7c481ff307495b20be99a71bf72f1a

Database specific

{
    "versions": [
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.6.2"
        }
    ]
}

Affected versions

v5.*

v5.73.10

v5.73.11

v5.73.12

v5.73.3

v5.73.4

v5.73.5

v5.73.6

v5.73.7

v5.73.8

v5.73.9

v6.*

v6.0.0

v6.1.0

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.2.4

v6.2.5

v6.3.0

v6.3.1

v6.3.2

v6.3.3

v6.4.0

v6.4.1

v6.5.0

v6.6.0

v6.6.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-32612.json"