From 76675388f16d9c3efee9818b3acbc76410588aea Mon Sep 17 00:00:00 2001
From: Henrique Cabral <hocabral37@gmail.com>
Date: Thu, 5 Mar 2026 17:43:52 -0300
Subject: [PATCH 1/3] New Vuln: Improper Input Validation in statamic/cms

---
 input/new.json | 38 ++++++++++++++++++++++++++------------
 1 file changed, 26 insertions(+), 12 deletions(-)

diff --git a/input/new.json b/input/new.json
index 87646b9a..4fa9236f 100644
--- a/input/new.json
+++ b/input/new.json
@@ -1,15 +1,29 @@
 {
-  "package_name": "",
-  "patch_versions": [],
-  "vulnerable_ranges": [],
-  "cwe": [],
-  "tldr": "",
-  "doest_this_affect_me": "",
-  "how_to_fix": "",
-  "vulnerable_to": "",
+  "package_name": "statamic/cms",
+  "patch_versions": [
+    "6.3.3",
+    "5.73.10"
+  ],
+  "vulnerable_ranges": [
+    [
+      "6.0.0",
+      "6.3.2"
+    ],
+    [
+      "5.0.0",
+      "5.73.9"
+    ]
+  ],
+  "cwe": [
+    "CWE-20"
+  ],
+  "tldr": "Affected versions of this package improperly rendered user-controlled content directly into the DOM using mechanisms such as `v-html`, `innerHTML`, and unsanitized HTML returned by `marked`, enabling the injection of arbitrary HTML or JavaScript. Without proper sanitization or escaping, attacker-supplied input could be interpreted as executable markup instead of plain text. An attacker could exploit this by injecting malicious payloads (e.g., `<script>` tags, event handlers, or crafted HTML) into fields rendered by these components, leading to **Cross-Site Scripting (XSS)** that executes in the victim's browser, allowing session theft, credential harvesting, or arbitrary actions on behalf of the user.",
+  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
+  "how_to_fix": "Upgrade the `statamic/cms` library to the patch version.",
+  "vulnerable_to": "Improper Input Validation",
   "related_cve_id": "",
-  "language": "",
-  "severity_class": "",
-  "aikido_score": 0,
-  "changelog": ""
+  "language": "PHP",
+  "severity_class": "HIGH",
+  "aikido_score": 74,
+  "changelog": "https://github.com/statamic/cms/releases/tag/v6.3.3"
 }

From a4a42fead55be63116ab959563b4956bc919d5f7 Mon Sep 17 00:00:00 2001
From: sampion88 <36301168+sampion88@users.noreply.github.com>
Date: Fri, 6 Mar 2026 10:10:31 +0100
Subject: [PATCH 2/3] Update new.json

---
 input/new.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/input/new.json b/input/new.json
index 4fa9236f..aa45d10f 100644
--- a/input/new.json
+++ b/input/new.json
@@ -15,15 +15,15 @@
     ]
   ],
   "cwe": [
-    "CWE-20"
+    "CWE-79"
   ],
-  "tldr": "Affected versions of this package improperly rendered user-controlled content directly into the DOM using mechanisms such as `v-html`, `innerHTML`, and unsanitized HTML returned by `marked`, enabling the injection of arbitrary HTML or JavaScript. Without proper sanitization or escaping, attacker-supplied input could be interpreted as executable markup instead of plain text. An attacker could exploit this by injecting malicious payloads (e.g., `<script>` tags, event handlers, or crafted HTML) into fields rendered by these components, leading to **Cross-Site Scripting (XSS)** that executes in the victim's browser, allowing session theft, credential harvesting, or arbitrary actions on behalf of the user.",
+  "tldr": "Affected versions of this package improperly rendered user-controlled content directly into the DOM using mechanisms such as `v-html`, `innerHTML`, and unsanitized HTML returned by `marked`, enabling the injection of arbitrary HTML or JavaScript. Without proper sanitization or escaping, attacker-supplied input could be interpreted as executable markup instead of plain text. An attacker could exploit this by injecting malicious payloads (e.g., `<script>` tags, event handlers, or crafted HTML) into fields rendered by these components, leading to Cross-Site Scripting (XSS) that executes in the victim's browser, allowing session theft, credential harvesting, or arbitrary actions on behalf of the user.",
   "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
   "how_to_fix": "Upgrade the `statamic/cms` library to the patch version.",
-  "vulnerable_to": "Improper Input Validation",
+  "vulnerable_to": "Cross-Site Scripting (XSS)",
   "related_cve_id": "",
   "language": "PHP",
-  "severity_class": "HIGH",
-  "aikido_score": 74,
+  "severity_class": "MEDIUM",
+  "aikido_score": 68,
   "changelog": "https://github.com/statamic/cms/releases/tag/v6.3.3"
 }

From dd8bce8162b7372acdd0cf9dc79b716014a3bc7c Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Fri, 6 Mar 2026 09:10:58 +0000
Subject: [PATCH 3/3] Move new vulnerability to
 vulnerabilities/AIKIDO-2026-10304.json and reset new.json template

---
 input/new.json                         | 38 ++++++++------------------
 vulnerabilities/AIKIDO-2026-10304.json | 31 +++++++++++++++++++++
 2 files changed, 43 insertions(+), 26 deletions(-)
 create mode 100644 vulnerabilities/AIKIDO-2026-10304.json

diff --git a/input/new.json b/input/new.json
index aa45d10f..87646b9a 100644
--- a/input/new.json
+++ b/input/new.json
@@ -1,29 +1,15 @@
 {
-  "package_name": "statamic/cms",
-  "patch_versions": [
-    "6.3.3",
-    "5.73.10"
-  ],
-  "vulnerable_ranges": [
-    [
-      "6.0.0",
-      "6.3.2"
-    ],
-    [
-      "5.0.0",
-      "5.73.9"
-    ]
-  ],
-  "cwe": [
-    "CWE-79"
-  ],
-  "tldr": "Affected versions of this package improperly rendered user-controlled content directly into the DOM using mechanisms such as `v-html`, `innerHTML`, and unsanitized HTML returned by `marked`, enabling the injection of arbitrary HTML or JavaScript. Without proper sanitization or escaping, attacker-supplied input could be interpreted as executable markup instead of plain text. An attacker could exploit this by injecting malicious payloads (e.g., `<script>` tags, event handlers, or crafted HTML) into fields rendered by these components, leading to Cross-Site Scripting (XSS) that executes in the victim's browser, allowing session theft, credential harvesting, or arbitrary actions on behalf of the user.",
-  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
-  "how_to_fix": "Upgrade the `statamic/cms` library to the patch version.",
-  "vulnerable_to": "Cross-Site Scripting (XSS)",
+  "package_name": "",
+  "patch_versions": [],
+  "vulnerable_ranges": [],
+  "cwe": [],
+  "tldr": "",
+  "doest_this_affect_me": "",
+  "how_to_fix": "",
+  "vulnerable_to": "",
   "related_cve_id": "",
-  "language": "PHP",
-  "severity_class": "MEDIUM",
-  "aikido_score": 68,
-  "changelog": "https://github.com/statamic/cms/releases/tag/v6.3.3"
+  "language": "",
+  "severity_class": "",
+  "aikido_score": 0,
+  "changelog": ""
 }
diff --git a/vulnerabilities/AIKIDO-2026-10304.json b/vulnerabilities/AIKIDO-2026-10304.json
new file mode 100644
index 00000000..266e5824
--- /dev/null
+++ b/vulnerabilities/AIKIDO-2026-10304.json
@@ -0,0 +1,31 @@
+{
+  "package_name": "statamic/cms",
+  "patch_versions": [
+    "6.3.3",
+    "5.73.10"
+  ],
+  "vulnerable_ranges": [
+    [
+      "6.0.0",
+      "6.3.2"
+    ],
+    [
+      "5.0.0",
+      "5.73.9"
+    ]
+  ],
+  "cwe": [
+    "CWE-79"
+  ],
+  "tldr": "Affected versions of this package improperly rendered user-controlled content directly into the DOM using mechanisms such as `v-html`, `innerHTML`, and unsanitized HTML returned by `marked`, enabling the injection of arbitrary HTML or JavaScript. Without proper sanitization or escaping, attacker-supplied input could be interpreted as executable markup instead of plain text. An attacker could exploit this by injecting malicious payloads (e.g., `<script>` tags, event handlers, or crafted HTML) into fields rendered by these components, leading to Cross-Site Scripting (XSS) that executes in the victim's browser, allowing session theft, credential harvesting, or arbitrary actions on behalf of the user.",
+  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
+  "how_to_fix": "Upgrade the `statamic/cms` library to the patch version.",
+  "vulnerable_to": "Cross-Site Scripting (XSS)",
+  "related_cve_id": "",
+  "language": "PHP",
+  "severity_class": "MEDIUM",
+  "aikido_score": 68,
+  "changelog": "https://github.com/statamic/cms/releases/tag/v6.3.3",
+  "last_modified": "2026-03-06",
+  "published": "2026-03-06"
+}