CVE-2026-32612: Statamic vulnerable to privilege escalation via stored cross-site scripting

March 13, 2026 (updated March 16, 2026)

Stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account.

References

github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-32612
github.com/advisories/GHSA-hcch-w73c-jp4m
github.com/statamic/cms
github.com/statamic/cms/security/advisories/GHSA-hcch-w73c-jp4m
nvd.nist.gov/vuln/detail/CVE-2026-32612

Code Behaviors & Features

Detect and mitigate CVE-2026-32612 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →