CVE-2026-25759
Published: 11 February 2026
Summary
CVE-2026-25759 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Statamic Statamic. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the stored XSS vulnerability by requiring timely patching to Statamic 6.2.3 or later, which addresses the flaw in content title handling.
Prevents injection of malicious JavaScript into content titles by validating and sanitizing inputs from authenticated content creators.
Stops execution of injected JavaScript when higher-privileged users view affected content titles through output filtering and encoding.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing CMS directly enables exploitation of the web app (T1190) by low-priv authenticated users to achieve privilege escalation (T1068) via JS execution in higher-priv contexts, resulting in unauthorized admin account creation.
NVD Description
Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged…
more
users. Malicious user must have an account with control panel access and content creation permissions. This vulnerability can be exploited to allow super admin accounts to be created. This has been fixed in 6.2.3.
Deeper analysisAI
CVE-2026-25759 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Statamic, a Laravel and Git-powered content management system (CMS). The issue exists in versions from 6.0.0 up to but not including 6.2.3, specifically within content titles. It allows authenticated users to inject malicious JavaScript that persists and executes in the context of viewers with higher privileges. The vulnerability carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its network accessibility, low complexity, and potential for privilege escalation.
An attacker requires an authenticated account with control panel access and content creation permissions to exploit this. By injecting malicious payloads into content titles, the JavaScript executes when higher-privileged users, such as super admins, view the affected content. This can lead to severe outcomes, including the creation of super admin accounts, enabling full compromise of the CMS instance through unauthorized administrative actions.
The vulnerability has been addressed in Statamic version 6.2.3, as detailed in the project's security advisory (GHSA-ff9r-ww9c-43x8), release notes, and the fixing commit (6ed4f65f3387686d6dbd816e9b4f18a8d9736ff6). Security practitioners should upgrade to 6.2.3 or later and review access controls for content creation permissions to mitigate risks.
Details
- CWE(s)