CVE-2026-25759

Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Malicious user must have an account with control panel access and content creation permissions. This vulnerability can be exploited to allow super admin accounts to be created. This has been fixed in 6.2.3.

CVSS v3 8.7 HIGH

8.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.3 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/statamic/cms/commit/6ed4f65f3387686d6dbd816e9b4f18a8d9736ff6	Patch Product
https://github.com/statamic/cms/releases/tag/v6.2.3	Release Notes
https://github.com/statamic/cms/security/advisories/GHSA-ff9r-ww9c-43x8	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-11 21:16

Updated : 2026-02-18 19:37

NVD link : CVE-2026-25759

Mitre link : CVE-2026-25759

CVE.ORG link : CVE-2026-25759

JSON object : View

Products Affected

statamic

statamic

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-25759", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.3}]}, "published": "2026-02-11T21:16:19.097", "references": [{"url": "https://github.com/statamic/cms/commit/6ed4f65f3387686d6dbd816e9b4f18a8d9736ff6", "tags": ["Patch", "Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/statamic/cms/releases/tag/v6.2.3", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/statamic/cms/security/advisories/GHSA-ff9r-ww9c-43x8", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Malicious user must have an account with control panel access and content creation permissions. This vulnerability can be exploited to allow super admin accounts to be created. This has been fixed in 6.2.3."}, {"lang": "es", "value": "Statmatic es un sistema de gesti\u00f3n de contenido (CMS) impulsado por Laravel y Git. Desde la 6.0.0 hasta antes de la 6.2.3, una vulnerabilidad de XSS almacenado en los t\u00edtulos de contenido permite a usuarios autenticados con permisos de creaci\u00f3n de contenido inyectar JavaScript malicioso que se ejecuta cuando es visto por usuarios con mayores privilegios. El usuario malicioso debe tener una cuenta con acceso al panel de control y permisos de creaci\u00f3n de contenido. Esta vulnerabilidad puede ser explotada para permitir la creaci\u00f3n de cuentas de superadministrador. Esto ha sido corregido en la 6.2.3."}], "lastModified": "2026-02-18T19:37:29.220", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "08046306-6614-476F-A450-B90A03160915", "versionEndExcluding": "6.2.3", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}