CVE-2026-28425 Overview
CVE-2026-28425 is a Code Injection vulnerability affecting Statamic, a Laravel and Git powered content management system (CMS). Authenticated control panel users with access to Antlers-enabled inputs may achieve remote code execution (RCE) in the application context. This vulnerability allows attackers to fully compromise the application, including accessing sensitive configuration data, modifying or exfiltrating content, and potentially impacting system availability.
Critical Impact
Authenticated attackers can achieve remote code execution through Antlers template injection, leading to full application compromise including sensitive data access, modification, and potential system availability impact.
Affected Products
- Statamic CMS versions prior to 5.73.11
- Statamic CMS versions prior to 6.4.0
- Third-party addons that depend on vulnerable Statamic versions (e.g., SEO Pro addon)
Discovery Timeline
- 2026-02-27 - CVE-2026-28425 published to NVD
- 2026-02-27 - Statamic releases security patches v5.73.11 and v6.4.0
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28425
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code), commonly known as Code Injection. The flaw exists in Statamic's Antlers templating engine, which processes user-controlled content without adequate sanitization. When an authenticated user with specific control panel permissions crafts malicious Antlers template syntax, the application may execute arbitrary code within the application context.
The attack requires authentication and specific permissions within the Statamic control panel, making this a post-authentication exploitation scenario. However, once exploited, attackers gain the ability to execute arbitrary code with the same privileges as the web application, potentially leading to complete system compromise.
Root Cause
The root cause stems from insufficient input validation and sanitization when processing Antlers template syntax in user-controlled content fields. Antlers is Statamic's custom templating language, and when enabled on content fields, it dynamically evaluates template expressions. The vulnerability occurs because the template engine does not adequately restrict dangerous operations that authenticated users can inject through Antlers-enabled inputs.
Exploitation vectors include:
- Content fields with Antlers explicitly enabled (requires permission to configure fields and edit entries)
- Built-in configurations supporting Antlers, such as Forms email notification settings (requires configuration permission)
- Third-party addons that add Antlers-enabled fields to entries (e.g., the SEO Pro addon)
Attack Vector
The attack vector is network-based and requires authenticated access to the Statamic control panel with specific permissions. An attacker must have legitimate credentials and appropriate role assignments to access Antlers-enabled input fields.
The exploitation flow involves:
- Authentication: Attacker logs into the Statamic control panel with valid credentials
- Permission Access: Attacker navigates to an Antlers-enabled input field (content field, form notification settings, or addon-provided field)
- Payload Injection: Attacker injects malicious Antlers template syntax designed to execute arbitrary PHP code
- Code Execution: When the content is rendered or processed, the Antlers engine evaluates the malicious template, resulting in code execution within the application context
The vulnerability allows attackers to leverage Antlers template syntax to break out of the intended template context and execute arbitrary PHP functions or system commands.
Detection Methods for CVE-2026-28425
Indicators of Compromise
- Unusual or suspicious Antlers template syntax in content fields, particularly containing PHP function calls or system command references
- Unexpected modifications to Forms email notification settings with template injection patterns
- Anomalous control panel activity from authenticated users attempting to access or modify Antlers-enabled fields
- Web server logs showing POST requests to content editing endpoints with encoded or obfuscated payloads
- Evidence of unauthorized file access, creation, or modification in the application directory structure
Detection Strategies
- Monitor Statamic control panel access logs for suspicious user activity patterns and unusual content modifications
- Implement content change auditing to detect injection of potentially malicious Antlers template syntax
- Deploy web application firewall (WAF) rules to detect code injection patterns in form submissions
- Review user permission assignments regularly to ensure principle of least privilege for control panel access
- Use file integrity monitoring on critical application files to detect unauthorized modifications
Monitoring Recommendations
- Enable comprehensive audit logging for all control panel authentication events and content modifications
- Configure alerts for modifications to Forms email notification configurations and field definitions
- Monitor application error logs for template parsing failures or unexpected code execution errors
- Implement behavioral analytics to detect anomalous patterns from authenticated user accounts
- Review third-party addon configurations for Antlers-enabled fields that may expand the attack surface
How to Mitigate CVE-2026-28425
Immediate Actions Required
- Update Statamic CMS to version 5.73.11 or 6.4.0 immediately based on your major version branch
- Review and audit all user accounts with control panel access, removing unnecessary permissions
- Audit all Antlers-enabled content fields and configurations for suspicious or unexpected content
- Verify that third-party addons are updated to versions that depend on patched Statamic releases
- Implement additional access controls to restrict which users can modify Antlers-enabled fields
Patch Information
Statamic has released security patches addressing this vulnerability:
| Version Branch | Fixed Version | Release Link |
|---|---|---|
| 5.x | 5.73.11 | GitHub Release v5.73.11 |
| 6.x | 6.4.0 | GitHub Release v6.4.0 |
Update your Statamic installation using Composer:
composer update statamic/cms
Users of third-party addons that depend on Statamic should verify their addon dependencies are compatible with the patched versions and ensure the underlying Statamic installation is updated.
For complete security advisory details, refer to the GitHub Security Advisory GHSA-cpv7-q2wx-m8rw.
Workarounds
- Restrict control panel access to only trusted administrators until patches can be applied
- Disable Antlers processing on content fields where it is not explicitly required for functionality
- Implement strict role-based access control limiting which users can configure fields or modify Forms email notification settings
- Remove or disable third-party addons that add Antlers-enabled fields until addon compatibility with patched Statamic versions is confirmed
- Deploy a web application firewall (WAF) with rules to detect and block template injection patterns
# Example: Review current Statamic version
php artisan statamic:version
# Update Statamic via Composer
composer update statamic/cms --with-dependencies
# Clear application cache after update
php artisan cache:clear
php artisan config:clear
php artisan view:clear
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
