Home / Vulnerability Intelligence / CVE-2026-28426

CVE-2026-28426 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: March 2, 2026

Statmatic - Stored XSS

Published: February 27, 2026Updated: March 2, 2026Remote Exploitable

Overview

Statmatic < 5.73.11 and < 6.4.0 contains a stored XSS caused by improper sanitization in svg and icon components, letting authenticated users with permissions inject malicious JavaScript executed by higher-privileged users.

Severity & Score

Severity: High

CVSS Score: 8.7

EPSS Score: 2.5%(Probability of exploitation in next 30 days)

Impact

Authenticated users can inject JavaScript that executes in higher-privileged users' browsers, potentially leading to session hijacking or privilege escalation.

Mitigation

Update to versions 5.73.11 or 6.4.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 28, 2026

🟠 CVE-2026-28426 - High (8.7) Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious Jav... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28426/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28426
Severity: High
CVSS Score: 8.7
Type: stored_xss
Status: unconfirmed
EPSS: 2.5%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score

2.5%Probability of exploitation in the next 30 days