5.73.17
6.0.1
5.73.16
CVE-2026-28425 is a Remote Code Execution (RCE) vulnerability impacting Statamic CMS versions up to 5.9.0. An authenticated control panel user with access to Antlers-enabled inputs can exploit this flaw to achieve remote code execution within the application's context. This can lead to a complete compromise of the system, potentially exposing sensitive data and disrupting service. A fix is available in version 5.73.16.
The impact of CVE-2026-28425 is significant due to the potential for full system compromise. An attacker exploiting this vulnerability could gain access to sensitive configuration files, modify or exfiltrate data stored within the Statamic CMS, and even disrupt the availability of the application. The vulnerability hinges on the use of Antlers, Statamic’s templating engine, within user-controlled content fields. This means that if an attacker can create or modify content with Antlers enabled, they can inject malicious code that will be executed by the CMS. This is particularly concerning in environments where users have broad permissions to configure fields and edit entries.
CVE-2026-28425 was published on 2026-03-01. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. Given the RCE nature of the vulnerability and the potential for widespread impact, it is crucial to prioritize remediation. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28425 is to upgrade Statamic CMS to version 5.73.16 or later. If immediate upgrading is not possible due to compatibility concerns or breaking changes, consider restricting access to Antlers-enabled inputs to only trusted users. Review and audit all Antlers configurations to ensure they adhere to security best practices. While a WAF might offer some protection, it's unlikely to be effective against this type of vulnerability without specific rules tailored to the Antlers templating engine. After upgrading, verify the fix by attempting to create or modify Antlers-enabled content and confirming that no malicious code is executed.
Actualice Statamic a la versión 5.73.16 o superior, o a la versión 6.7.2 o superior. Esto corrige la vulnerabilidad de ejecución remota de código a través de entradas habilitadas para Antlers en el panel de control. Asegúrese también de que cualquier complemento que dependa de Statamic esté utilizando una versión parcheada.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28425 is a Remote Code Execution vulnerability in Statamic CMS versions up to 5.9.0. It allows authenticated users with Antlers access to execute arbitrary code on the server.
You are affected if you are using Statamic CMS versions 5.9.0 or earlier and have users with access to Antlers-enabled inputs.
Upgrade Statamic CMS to version 5.73.16 or later. If upgrading is not immediately possible, restrict access to Antlers-enabled inputs.
As of now, there are no publicly known active exploitation campaigns, but the vulnerability's severity warrants immediate attention and remediation.
Refer to the official Statamic security advisory on their website for detailed information and updates: [https://statamic.com/security/advisories](https://statamic.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.