Description
Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Malicious user must have an account with control panel access and content creation permissions. This vulnerability can be exploited to allow super admin accounts to be created. This has been fixed in 6.2.3.
Published: 2026-02-11
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Stored XSS in Statamic CMS
Action: Apply Patch
AI Analysis

Impact

A stored cross-site scripting flaw exists in content titles of Statamic CMS versions 6.0.0 through the pre-6.2.3 releases. When an authenticated user with content creation permissions injects malicious JavaScript into a title, the code runs in the context of higher‑privileged users who view that content. The injected script can exploit the system to create new super administrator accounts, effectively allowing an attacker to elevate their privileges. This weakness is identified as a Reflected Cross‑Site Scripting issue (CWE‑79).

Affected Systems

The vulnerable application is Statamic CMS, a Laravel‑based content management system. All releases from version 6.0.0 up to but not including 6.2.3 are affected. Those operating these editions should verify the installed version and plan an update where applicable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. However, the EPSS score is below 1%, suggesting a low probability of exploitation at the time of analysis, and the issue is not listed in the CISA KEV catalog. Exploitability requires the attacker to have a control‑panel account with content‑creation rights. Once authenticated, the attacker can inject malicious titles; when a higher‑privileged user views the content, the embedded script executes, enabling the creation of super‑admin accounts. The real‑world risk is therefore high for environments where content creation permissions are granted to untrusted users, but the exploitation window is limited by the authentication and role constraints outlined above.

Generated by OpenCVE AI on April 17, 2026 at 20:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Statamic CMS to version 6.2.3 or later to eliminate the stored XSS flaw.
  • Review and clean existing content titles that may contain malicious JavaScript before the upgrade to prevent accidental privilege escalation.
  • Restrict content‑creation permissions to a minimal set of trusted users and enforce least‑privilege practices to reduce the risk of unauthorized script injection.

Generated by OpenCVE AI on April 17, 2026 at 20:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ff9r-ww9c-43x8 Statamic CMS vulnerable to privilege escalation via stored cross-site scripting
History

Wed, 18 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Statamic statamic
CPEs cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
Vendors & Products Statamic statamic

Thu, 12 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Statamic
Statamic cms
Vendors & Products Statamic
Statamic cms

Wed, 11 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Malicious user must have an account with control panel access and content creation permissions. This vulnerability can be exploited to allow super admin accounts to be created. This has been fixed in 6.2.3.
Title Statmatic affected by privilege escalation via stored cross-site scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Statamic Cms Statamic
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-12T21:18:56.237Z

Reserved: 2026-02-05T18:35:52.357Z

Link: CVE-2026-25759

cve-icon Vulnrichment

Updated: 2026-02-12T21:18:52.506Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T21:16:19.097

Modified: 2026-02-18T19:37:29.220

Link: CVE-2026-25759

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:15:27Z

Weaknesses