What is the CVSS score of CVE-2026-25759?

CVE-2026-25759 has a CVSS 3.1 base score of 8.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Laravel are affected by CVE-2026-25759?

A stored cross-site scripting vulnerability in Statmatic CMS allows authenticated content creators to inject malicious code that executes when administrators or other high-privilege users view…. A patch is available.

How to fix or mitigate CVE-2026-25759?

Within 24 hours: Identify all Statmatic instances running versions 6.0.0-6.2.2 and restrict content creation permissions to trusted personnel only. Within 7 days: Apply patch to version 6.2.3 or later across all affected instances and conduct security testing. Within 30 days: Audit all content titles created in the past 90 days for malicious payloads and implement input validation monitoring.

Laravel CVE-2026-25759

HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-02-11 security-advisories@github.com

GHSA-ff9r-ww9c-43x8

Laravel XSS Statamic

8.7

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.7 HIGH

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:02 vuln.today

Patch released

Feb 18, 2026 - 19:37 nvd

Patch available

CVE Published

Feb 11, 2026 - 21:16 nvd

HIGH 8.7

DescriptionGitHub Advisory

Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Malicious user must have an account with control panel access and content creation permissions. This vulnerability can be exploited to allow super admin accounts to be created. This has been fixed in 6.2.3.

AnalysisAI

Authenticated users with content creation permissions in Statamic CMS versions 6.0.0 through 6.2.2 can inject persistent JavaScript through content titles that executes in the browsers of higher-privileged users, potentially allowing attackers to create unauthorized super admin accounts. The vulnerability affects users with control panel access and requires user interaction to trigger. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate with content creation permissions

Delivery

Inject malicious JavaScript in content title

Exploit

Admin views content

Execution

Malicious script executes in admin context

Impact

Create super admin account