CVE-2026-25759: Statamic CMS vulnerable to privilege escalation via stored cross-site scripting

February 11, 2026

Stored XSS vulnerability in content titles allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.

Malicious user must have an account with control panel access and content creation permissions.

This vulnerability can be exploited to allow super admin accounts to be created.

References

github.com/advisories/GHSA-ff9r-ww9c-43x8
github.com/statamic/cms
github.com/statamic/cms/releases/tag/v6.2.3
github.com/statamic/cms/security/advisories/GHSA-ff9r-ww9c-43x8
nvd.nist.gov/vuln/detail/CVE-2026-25759

Code Behaviors & Features

Detect and mitigate CVE-2026-25759 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →