Statmatic affected by privilege escalation via stored cross-site scripting

8.7 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Description

Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Malicious user must have an account with control panel access and content creation permissions. This vulnerability can be exploited to allow super admin accounts to be created. This has been fixed in 6.2.3.

AI Analysis

Stored XSS vulnerability in content titles allows authenticated users to inject malicious JavaScript, potentially leading to privilege escalation.

Basic Information

ID CVE-2026-25759

Source GitHub_M

Published Feb 11, 2026 at 20:37

Affected Product

Vendor statamic

Product cms

Version >= 6.0.0, < 6.2.3

Affected Versions statamic cms >= 6.0.0, < 6.2.3

CWE Classification

CWE-79

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor Statamic

Product Statamic CMS

Version 6.0.0 to 6.2.3

References

{
    "lastseen": "",
    "description": "Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Malicious user must have an account with control panel access and content creation permissions. This vulnerability can be exploited to allow super admin accounts to be created. This has been fixed in 6.2.3.",
    "published": "2026-02-11T20:37:37.741Z",
    "modified": "2026-02-11T20:37:37.741Z",
    "type": "cve",
    "title": "Statmatic affected by privilege escalation via stored cross-site scripting",
    "source": "GitHub_M",
    "references": "https://github.com/statamic/cms/security/advisories/GHSA-ff9r-ww9c-43x8\nhttps://github.com/statamic/cms/commit/6ed4f65f3387686d6dbd816e9b4f18a8d9736ff6\nhttps://github.com/statamic/cms/releases/tag/v6.2.3",
    "id": "CVE-2026-25759",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "statamic cms >= 6.0.0, < 6.2.3",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cms",
    "version": ">= 6.0.0, < 6.2.3",
    "vendor": "statamic",
    "ai_description": "Stored XSS vulnerability in content titles allows authenticated users to inject malicious JavaScript, potentially leading to privilege escalation.",
    "ai_severity": "High",
    "ai_vendor": "Statamic",
    "ai_product": "Statamic CMS",
    "ai_version": "6.0.0 to 6.2.3",
    "ai_score": 8.7
}

Statmatic affected by privilege escalation via stored cross-site scripting_CVE-2026-25759