Statamic CMS Antlers Template Engine Remote Code Execution

Statamic is a popular CMS built on top of the Laravel framework, utilizing a custom templating language known as 'Antlers'. The engine is designed to be expressive and powerful, allowing developers to manipulate data directly within views. However, this power becomes a liability when the engine processes untrusted input without adequate sandboxing.

The vulnerability, tracked as CVE-2026-28425, resides in how the Statamic Control Panel (CP) handles user-editable fields that have Antlers parsing enabled. In affected versions, the parsing logic does not differentiate between a developer-defined template file and content entered by a CMS user (e.g., in a Bard field, Textarea, or Form configuration). Consequently, the parser grants user input access to the full application context.

This exposure allows an attacker to inject specific Antlers tags that invoke PHP classes, access the Laravel service container, or read environment variables. Because Statamic is often used in environments where content editors are trusted to write text but not code, this privilege escalation from 'content editor' to 'system administrator' represents a critical security breach.

The root cause of this vulnerability is an Improper Control of Generation of Code (CWE-94) within the Statamic\View\Antlers\Parser class. Specifically, the parser failed to implement a 'user-content' mode that restricts the available execution context.

When Statamic parses a template, it hydrates a context array containing variable data. Prior to the fix, this context included the entire application configuration via config()->all(). This meant that any variable defined in Laravel's configuration files—including sensitive secrets like APP_KEY, database credentials, and third-party API keys—was directly accessible to the template renderer.

Furthermore, the parser allowed the instantiation of arbitrary PHP objects and the invocation of methods on those objects. The engine did not enforce a whitelist of safe classes or methods. An attacker could utilize PHP's reflection capabilities (e.g., ReflectionFunction) or the Laravel service container to bypass superficial restrictions and execute system commands. The absence of a strict sandbox meant that once the parser encountered a tag like {{ php }}, or a modifier enabling method calls, it executed the logic with the privileges of the web server user.

The remediation for CVE-2026-28425 involved introducing a strict context separation between developer templates and user content. The key changes were implemented in the Antlers parser and the Cascade data manager.

Before the Fix (Conceptual)

Previously, the parser would accept content and data without checking the source of the content string. It exposed the full configuration array by default.

// Vulnerable implementation
public function parse($content, $data = [])
{
    // All config data is merged into the view context
    $context = array_merge($data, config()->all());
    return $this->evaluate($content, $context);
}

After the Fix

The patch introduces a parseUserContent method and a global state flag isEvaluatingUserData. When this flag is true, the parser enforces strict boundaries.

// Patched implementation (Simplified)
public function parseUserContent($content, $data = [])
{
    $this->isEvaluatingUserData = true;
    try {
        // Use a curated whitelist of config values instead of config()->all()
        $safeConfig = Cascade::config(); 
        
        // The parser now throws exceptions if unsafe methods are called
        return $this->evaluate($content, array_merge($data, $safeConfig));
    } finally {
        $this->isEvaluatingUserData = false;
    }
}

Additionally, the patch hardens the nocache tag handling. Previously, the Static Caching middleware would process {{ nocache }} blocks even on routes that were explicitly excluded from caching. The fix ensures that the exclusion list is checked before any placeholder replacement occurs, preventing the parser from touching user-controlled nocache blocks on non-cached pages.

To exploit this vulnerability, an attacker requires authentication to the Statamic Control Panel. The required privilege level is low—any role capable of editing entries, configuring forms, or modifying global sets where Antlers parsing is active is sufficient.

Step 1: Identification The attacker identifies a field that supports Antlers parsing. Common targets include:

• 'Bard' or 'Markdown' fields where the 'Antlers' option is enabled in the blueprint.
• Form email notification templates (often customizable in the CP).
• SEO Pro settings or other addon configurations that parse variable data.

Step 2: Payload Injection The attacker injects a payload designed to break out of the template logic and execute PHP. A standard Server-Side Template Injection (SSTI) payload for PHP environments often utilizes Reflection to bypass direct function call restrictions.

{{ (new \ReflectionFunction("system"))->invoke("id") }}

Alternatively, if the php tag is not explicitly disabled or can be re-enabled via context manipulation:

{{ php }}
    echo system('cat /etc/passwd');
{{ /php }}

Step 3: Execution Upon saving the entry or previewing the content, the server parses the Antlers syntax. The injected code executes, returning the output of the system command in the rendered HTML or executing silently if the output is suppressed. This grants the attacker Remote Code Execution (RCE) on the underlying server.

The impact of CVE-2026-28425 is rated as High (CVSS 8.0) because it compromises the fundamental security triad: Confidentiality, Integrity, and Availability.

Confidentiality: The vulnerability allows unauthorized access to sensitive data. Attackers can read the contents of .env files, gaining access to database credentials, API keys (e.g., AWS, Stripe), and the APP_KEY used for encryption. This often leads to lateral movement within the network.

Integrity: With RCE, an attacker can modify application code, inject backdoors, deface the website, or alter database records. They can establish persistent access that survives updates or restarts.

Availability: An attacker could delete critical system files, drop database tables, or launch resource-exhaustion attacks, rendering the CMS and the website it powers unavailable.

While the attack requires authentication, the low privilege requirement means that a compromised editor account or a disgruntled employee can escalate their privileges to full server control.