CVE-2026-25759 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting Statamic CMS versions from 6.0.0 up to but not including 6.2.3. Statamic is a Laravel and Git-powered content management system widely used for building websites. The vulnerability arises from improper neutralization of input during web page generation, specifically in content titles. Authenticated users with content creation permissions can inject malicious JavaScript code into these titles. When higher-privileged users, such as administrators, view the compromised content, the malicious script executes in their browsers. This can lead to severe consequences including session hijacking, theft of credentials, or even privilege escalation by creating super admin accounts. The attack vector requires the attacker to have a valid account with control panel access and content creation rights, and the victim must interact by viewing the malicious content. The vulnerability does not affect availability but severely impacts confidentiality and integrity. The CVSS v3.1 base score is 8.7, indicating high severity, with an attack vector of network, low attack complexity, requiring privileges and user interaction, and scope change due to privilege escalation. The issue was resolved in Statamic version 6.2.3. No known exploits in the wild have been reported yet.

This vulnerability poses a significant risk to organizations using Statamic CMS versions 6.0.0 to 6.2.2. Attackers with limited privileges can leverage stored XSS to execute arbitrary JavaScript in the context of higher-privileged users, potentially leading to full account takeover and creation of super admin accounts. This compromises the confidentiality and integrity of the CMS and any data it manages, including sensitive website content and user information. The ability to escalate privileges can allow attackers to manipulate website content, inject further malicious code, or disrupt business operations indirectly. Organizations relying on Statamic for public-facing or internal websites may face reputational damage, data breaches, and regulatory compliance issues if exploited. Although no active exploits are currently known, the high severity and ease of exploitation given valid credentials make timely remediation critical.

1. Upgrade Statamic CMS to version 6.2.3 or later immediately to apply the official patch that fixes this vulnerability. 2. Review and restrict content creation permissions to only trusted users to minimize the attack surface. 3. Implement Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting script execution sources. 4. Conduct regular audits of user accounts and permissions to detect and remove unauthorized or unnecessary access. 5. Monitor logs for unusual activity related to content creation and administrative access. 6. Educate administrators and privileged users to be cautious when viewing content created by lower-privileged users until the patch is applied. 7. Consider implementing web application firewalls (WAF) with rules to detect and block XSS payloads targeting the CMS. 8. Perform security testing and code reviews on custom plugins or extensions that interact with content titles to ensure they do not introduce similar vulnerabilities.