CVE-2026-25759

HIGH EPSS 20.9%
Published Feb 11, 20264mo ago · Modified Feb 18, 20264mo ago
8.7 CVSS 3.1
High
Find Similar
Published Feb 11, 2026 4mo ago
Last Modified Feb 18, 2026 4mo ago

Description

Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Malicious user must have an account with control panel access and content creation permissions. This vulnerability can be exploited to allow super admin accounts to be created. This has been fixed in 6.2.3.

CVSS Details

Base Score
8.7
Exploitability
2.3
Impact
5.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
20.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
statamicstatamic*≥6.0.0  –  <6.2.3

References 3

  • github.com https://github.com/statamic/cms/commit/6ed4f65f3387686d6dbd816e9b4f18a8d9736ff6
    PatchProduct
  • github.com https://github.com/statamic/cms/releases/tag/v6.2.3
    Release Notes
  • github.com https://github.com/statamic/cms/security/advisories/GHSA-ff9r-ww9c-43x8
    Vendor Advisory

Remediation

  • github.com https://github.com/statamic/cms/commit/6ed4f65f3387686d6dbd816e9b4f18a8d9736ff6
    PatchProduct