CVE-2026-25759
HIGH EPSS 20.9%
Published Feb 11, 20264mo ago · Modified Feb 18, 20264mo ago
8.7 CVSS 3.1
Published Feb 11, 2026 4mo ago
Last Modified Feb 18, 2026 4mo ago
Description
Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Malicious user must have an account with control panel access and content creation permissions. This vulnerability can be exploited to allow super admin accounts to be created. This has been fixed in 6.2.3.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability None
Threat Intelligence
EPSS Exploit Probability
20.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-79 Cross-site Scripting Injection
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| statamic | statamic | * | ≥6.0.0 – <6.2.3 |
References 3
- github.com https://github.com/statamic/cms/commit/6ed4f65f3387686d6dbd816e9b4f18a8d9736ff6
- github.com https://github.com/statamic/cms/releases/tag/v6.2.3
- github.com https://github.com/statamic/cms/security/advisories/GHSA-ff9r-ww9c-43x8
Remediation
- github.com https://github.com/statamic/cms/commit/6ed4f65f3387686d6dbd816e9b4f18a8d9736ff6