CVE-2026-33172 Overview
CVE-2026-33172 is a stored Cross-Site Scripting (XSS) vulnerability affecting Statamic, a Laravel and Git powered content management system (CMS). The vulnerability exists in the SVG asset reupload functionality, where authenticated users with asset upload permissions can bypass SVG sanitization mechanisms and inject malicious JavaScript code. When a victim views the compromised SVG asset, the injected script executes in their browser context.
Critical Impact
Authenticated attackers can bypass SVG sanitization during asset reuploads to execute arbitrary JavaScript in victim browsers, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of privileged users.
Affected Products
- Statamic CMS versions prior to 5.73.14
- Statamic CMS versions prior to 6.7.0
Discovery Timeline
- 2026-03-20 - CVE-2026-33172 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33172
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) arises from insufficient sanitization of SVG files during the asset reupload process in Statamic CMS. While initial uploads may be properly sanitized, the reupload mechanism fails to apply the same security controls, creating a bypass opportunity for attackers.
SVG files are XML-based image formats that can contain embedded JavaScript through various vectors including <script> tags, event handlers (such as onload, onerror, onclick), and href attributes with javascript: URIs. When these malicious SVG files are served to users and rendered in their browsers, the embedded scripts execute with the same origin privileges as the Statamic application.
The attack requires authentication with asset upload permissions, which limits the initial attack surface. However, once a malicious SVG is uploaded, any user viewing that asset becomes a potential victim, making this a persistent threat that can impact administrators and other privileged users.
Root Cause
The root cause is a missing or incomplete sanitization check in the SVG reupload code path. While Statamic implements SVG sanitization for initial uploads, the reupload functionality bypasses this security control. This inconsistency in input validation between different upload operations creates a security gap that attackers can exploit to inject malicious content into SVG assets.
Attack Vector
The attack follows a network-based vector requiring authenticated access with asset upload permissions. An attacker crafts a malicious SVG file containing JavaScript payloads embedded within SVG elements or event handlers. The attacker then uses the reupload functionality to replace an existing asset with the malicious SVG, bypassing the sanitization that would normally occur on initial upload.
When an administrator or other user views the asset through the Statamic control panel or front-end, the malicious JavaScript executes in their browser session. This can be leveraged for session hijacking, phishing attacks within the CMS context, or performing unauthorized actions with the victim's privileges.
The vulnerability requires user interaction (viewing the malicious asset), but given that assets are commonly viewed during normal CMS operations, exploitation opportunities are frequent in active deployments.
Detection Methods for CVE-2026-33172
Indicators of Compromise
- Presence of SVG files containing <script> tags or JavaScript event handlers in asset storage directories
- Unusual asset reupload activity from accounts with upload permissions
- Browser console errors or unexpected script execution when viewing SVG assets
- User reports of unexpected behavior or redirects when accessing the Statamic control panel
Detection Strategies
- Implement content security policies (CSP) that restrict inline script execution and report violations
- Deploy web application firewall (WAF) rules to detect SVG files containing script elements or event handlers
- Monitor asset upload and reupload API endpoints for suspicious patterns or unusually large numbers of requests
- Review server access logs for repeated access to specific SVG assets from multiple user sessions
Monitoring Recommendations
- Enable verbose logging for asset management operations in Statamic
- Set up alerting for SVG uploads that fail CSP validation
- Monitor for changes to existing SVG assets through file integrity monitoring
- Track user sessions accessing SVG assets for anomalous behavior patterns
How to Mitigate CVE-2026-33172
Immediate Actions Required
- Update Statamic CMS to version 5.73.14 or later for the 5.x branch
- Update Statamic CMS to version 6.7.0 or later for the 6.x branch
- Audit existing SVG assets for malicious content using SVG scanning tools
- Review asset upload permissions and restrict to trusted users where possible
Patch Information
Statamic has released security patches addressing this vulnerability. Users should upgrade to version 5.73.14 for the 5.x release branch or version 6.7.0 for the 6.x release branch. The patches ensure that SVG sanitization is applied consistently across all upload operations, including reuploads.
For detailed information about the fix, refer to the GitHub Security Advisory.
Workarounds
- Temporarily disable SVG upload capabilities through Statamic's asset container configuration
- Implement server-side SVG sanitization using external tools before files are stored
- Deploy strict Content Security Policy headers to prevent inline script execution
- Restrict asset upload permissions to administrators only until patches can be applied
# Configuration example
# Add to .htaccess or nginx config to serve SVGs with restricted headers
# Apache example - force SVGs to download rather than render inline
<FilesMatch "\.svg$">
Header set Content-Disposition "attachment"
Header set X-Content-Type-Options "nosniff"
Header set Content-Security-Policy "script-src 'none'"
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
