VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-cz95-w9j3-mufn

Essentials
Severities (16)
References (7)
Severity details (15)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-cz95-w9j3-mufn
Aliases	CVE-2026-27196 GHSA-8r7r-f4gm-wcpq
Summary	Statamic affected by privilege escalation via stored cross-site scripting Stored XSS vulnerability in `html` fieldtypes allow authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00014	https://api.first.org/data/v1/epss?cve=CVE-2026-27196
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-8r7r-f4gm-wcpq
cvssv3.1	8.1	https://github.com/statamic/cms
generic_textual	HIGH	https://github.com/statamic/cms
cvssv3.1	8.1	https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b
generic_textual	HIGH	https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b
ssvc	Track	https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b
cvssv3.1	8.1	https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3
generic_textual	HIGH	https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3
ssvc	Track	https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3
cvssv3.1	8.1	https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq
cvssv3.1_qr	HIGH	https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq
generic_textual	HIGH	https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq
ssvc	Track	https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq
cvssv3.1	8.1	https://nvd.nist.gov/vuln/detail/CVE-2026-27196
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2026-27196

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-27196
		https://github.com/statamic/cms
		https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b
		https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3
CVE-2026-27196		https://nvd.nist.gov/vuln/detail/CVE-2026-27196
GHSA-8r7r-f4gm-wcpq		https://github.com/advisories/GHSA-8r7r-f4gm-wcpq
GHSA-8r7r-f4gm-wcpq		https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/statamic/cms

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/ Found at https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/ Found at https://github.com/statamic/cms/commit/6c270dacc2be02bfc2eee500766f3309f59d47b3

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:59:04Z/ Found at https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-27196

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.02781
EPSS Score	0.00014
Published At	May 30, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-30T21:06:44.088820+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/statamic/cms/CVE-2026-27196.yml	38.6.0