CVE-2026-25759
HIGH
GHSA-ff9r-ww9c-43x8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
3Description
Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Malicious user must have an account with control panel access and content creation permissions. This vulnerability can be exploited to allow super admin accounts to be created. This has been fixed in 6.2.3.
Analysis
Authenticated users with content creation permissions in Statamic CMS versions 6.0.0 through 6.2.2 can inject persistent JavaScript through content titles that executes in the browsers of higher-privileged users, potentially allowing attackers to create unauthorized super admin accounts. The vulnerability affects users with control panel access and requires user interaction to trigger. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Statmatic instances running versions 6.0.0-6.2.2 and restrict content creation permissions to trusted personnel only. Within 7 days: Apply patch to version 6.2.3 or later across all affected instances and conduct security testing. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today