CVE-2025-64112: Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation
Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.
This affects:
- Control panel users with permission to create or edit Collections and Taxonomies
- Versions up to and including 5.22.0
The vulnerability can be exploited to:
- Change a super admin’s password (versions ≤ 5.21.0)
- Change a super admin’s email address to initiate password reset (version 5.22.0)
- Gain unauthorized access to superadmin accounts
The attack requires:
- An authenticated user with control panel and content creation permissions
- A super admin to view the compromised content
References
Code Behaviors & Features
Detect and mitigate CVE-2025-64112 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →