Cyber Resilience

CVE-2026-25759

High

Published: 11 February 2026

Published
11 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0029 20.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25759 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Statamic Statamic. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-25759 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Statamic, a Laravel and Git-powered content management system (CMS). The issue exists in versions from 6.0.0 up to but not including 6.2.3, specifically within content titles. It allows authenticated users to inject malicious JavaScript that persists and executes in the context of viewers with higher privileges. The vulnerability carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its network accessibility, low complexity, and potential for privilege escalation.

An attacker requires an authenticated account with control panel access and content creation permissions to exploit this. By injecting malicious payloads into content titles, the JavaScript executes when higher-privileged users, such as super admins, view the affected content. This can lead to severe outcomes, including the creation of super admin accounts, enabling full compromise of the CMS instance through unauthorized administrative actions.

The vulnerability has been addressed in Statamic version 6.2.3, as detailed in the project's security advisory (GHSA-ff9r-ww9c-43x8), release notes, and the fixing commit (6ed4f65f3387686d6dbd816e9b4f18a8d9736ff6). Security practitioners should upgrade to 6.2.3 or later and review access controls for content creation permissions to mitigate risks.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged…

more

users. Malicious user must have an account with control panel access and content creation permissions. This vulnerability can be exploited to allow super admin accounts to be created. This has been fixed in 6.2.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stored XSS in public-facing CMS directly enables exploitation of the web app (T1190) by low-priv authenticated users to achieve privilege escalation (T1068) via JS execution in higher-priv contexts, resulting in unauthorized admin account creation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28426Same product: Statamic Statamic
CVE-2026-33172Same product: Statamic Statamic
CVE-2026-27196Same product: Statamic Statamic
CVE-2026-28425Same product: Statamic Statamic
CVE-2026-27939Same product: Statamic Statamic
CVE-2026-28423Same product: Statamic Statamic
CVE-2026-41175Same product: Statamic Statamic
CVE-2026-27593Same product: Statamic Statamic
CVE-2026-34571Shared CWE-79
CVE-2026-34617Shared CWE-79

Affected Assets

statamic
statamic
6.0.0 — 6.2.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the stored XSS vulnerability by requiring timely patching to Statamic 6.2.3 or later, which addresses the flaw in content title handling.

prevent

Prevents injection of malicious JavaScript into content titles by validating and sanitizing inputs from authenticated content creators.

prevent

Stops execution of injected JavaScript when higher-privileged users view affected content titles through output filtering and encoding.

References