Vulnerability Description
Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Malicious user must have an account with control panel access and content creation permissions. This vulnerability can be exploited to allow super admin accounts to be created. This has been fixed in 6.2.3.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Statamic | Statamic | >= 6.0.0, < 6.2.3 |
Related Weaknesses (CWE)
References
- https://github.com/statamic/cms/commit/6ed4f65f3387686d6dbd816e9b4f18a8d9736ff6PatchProduct
- https://github.com/statamic/cms/releases/tag/v6.2.3Release Notes
- https://github.com/statamic/cms/security/advisories/GHSA-ff9r-ww9c-43x8Vendor Advisory
FAQ
What is CVE-2026-25759?
CVE-2026-25759 is a vulnerability with a CVSS score of 8.7 (HIGH). Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permis...
How severe is CVE-2026-25759?
CVE-2026-25759 has been rated HIGH with a CVSS base score of 8.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25759?
Check the references section above for vendor advisories and patch information. Affected products include: Statamic Statamic.