CVE-2026-28425
Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs
Description
### Impact An authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled content—for example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. ### Patches This has been fixed in 5.73.16 and 6.7.2. Note that a follow-up report showed that the original 5.73.11 & 6.4.0 fixes were insufficient. If you use addons that depend on Statamic, ensure that after updating you are running a patched Statamic version.
How to fix CVE-2026-28425
To remediate CVE-2026-28425, upgrade the affected package to a fixed version below.
- —upgrade to 5.73.16 or later
Is CVE-2026-28425 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 5.73.16
CVSS scores
| Source | Version |
|---|