AikidoSec · sampion88 · Mar 6, 2026 · Mar 5, 2026 · Mar 6, 2026 · Mar 6, 2026
diff --git a/vulnerabilities/AIKIDO-2026-10304.json b/vulnerabilities/AIKIDO-2026-10304.json
@@ -0,0 +1,31 @@
+{
+  "package_name": "statamic/cms",
+  "patch_versions": [
+    "6.3.3",
+    "5.73.10"
+  ],
+  "vulnerable_ranges": [
+    [
+      "6.0.0",
+      "6.3.2"
+    ],
+    [
+      "5.0.0",
+      "5.73.9"
+    ]
+  ],
+  "cwe": [
+    "CWE-79"
+  ],
+  "tldr": "Affected versions of this package improperly rendered user-controlled content directly into the DOM using mechanisms such as `v-html`, `innerHTML`, and unsanitized HTML returned by `marked`, enabling the injection of arbitrary HTML or JavaScript. Without proper sanitization or escaping, attacker-supplied input could be interpreted as executable markup instead of plain text. An attacker could exploit this by injecting malicious payloads (e.g., `<script>` tags, event handlers, or crafted HTML) into fields rendered by these components, leading to Cross-Site Scripting (XSS) that executes in the victim's browser, allowing session theft, credential harvesting, or arbitrary actions on behalf of the user.",
+  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
+  "how_to_fix": "Upgrade the `statamic/cms` library to the patch version.",
+  "vulnerable_to": "Cross-Site Scripting (XSS)",
+  "related_cve_id": "",
+  "language": "PHP",
+  "severity_class": "MEDIUM",
+  "aikido_score": 68,
+  "changelog": "https://github.com/statamic/cms/releases/tag/v6.3.3",
+  "last_modified": "2026-03-06",
+  "published": "2026-03-06"
+}