Detections
Analytics

CVE-2026-25759

high

Description

Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Malicious user must have an account with control panel access and content creation permissions. This vulnerability can be exploited to allow super admin accounts to be created. This has been fixed in 6.2.3.

References

https://github.com/statamic/cms/security/advisories/GHSA-ff9r-ww9c-43x8

https://github.com/statamic/cms/releases/tag/v6.2.3

https://github.com/statamic/cms/commit/6ed4f65f3387686d6dbd816e9b4f18a8d9736ff6

Details

Source: Mitre, NVD

Published: 2026-02-11

Updated: 2026-02-12

Risk Information

CVSS v2

Base Score: 8.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:N

Severity: High

CVSS v3

Base Score: 8.7

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Severity: High

EPSS

EPSS: 0.00009