High severity8.0OSV Advisory· Published Oct 30, 2025· Updated Apr 15, 2026

CVE-2025-64112

Description

Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fixed in 5.22.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
statamic/cmsPackagist	< 5.22.1	5.22.1

Affected products

Statamic/CmsOSV
Range: v3.0.0, v3.0.0-beta.15, v3.0.0-beta.16, …

Patches

e513751f4336

[5.x] Add sanitization (#10656)

https://github.com/statamic/cmsDuncan McCleanAug 19, 2024via ghsa

commit

5 files changed · +5 −5

resources/views/collections/empty.blade.php+1 −1 modified

@@ -10,7 +10,7 @@
         'url' => cp_route('collections.index'),
         'title' => __('Collections')
     ])
-    <h1>{{ __($collection->title()) }}</h1>
+    <h1 v-pre>{{ __($collection->title()) }}</h1>
 </header>
 
 <div class="card p-4 content">

resources/views/forms/show.blade.php+1 −1 modified

@@ -12,7 +12,7 @@
             'title' => __('Forms')
         ])
         <div class="flex items-center">
-            <h1 class="flex-1">
+            <h1 v-pre class="flex-1">
                 {{ __($form->title()) }}
             </h1>

resources/views/taxonomies/empty.blade.php+1 −1 modified

@@ -10,7 +10,7 @@
         'url' => cp_route('taxonomies.index'),
         'title' => __('Taxonomies')
     ])
-    <h1>{{ __($taxonomy->title()) }}</h1>
+    <h1 v-pre>{{ __($taxonomy->title()) }}</h1>
 </header>
 
 <div class="card p-4 content">

resources/views/taxonomies/show.blade.php+1 −1 modified

@@ -12,7 +12,7 @@
             'title' => __('Taxonomies')
         ])
         <div class="flex items-center">
-            <h1 class="flex-1">{{ __($taxonomy->title()) }}</h1>
+            <h1 v-pre class="flex-1">{{ __($taxonomy->title()) }}</h1>
 
             <dropdown-list class="rtl:ml-2 ltr:mr-2">
                 @can('edit', $taxonomy)

resources/views/usergroups/show.blade.php+1 −1 modified

@@ -12,7 +12,7 @@
             'title' => __('User Groups')
         ])
         <div class="flex items-center">
-            <h1 class="flex-1">{{ __($group->title()) }}</h1>
+            <h1 v-pre class="flex-1">{{ __($group->title()) }}</h1>
             <dropdown-list class="rtl:ml-2 ltr:mr-2">
                 @can('edit', $group)
                     <dropdown-item :text="__('Edit User Group')" redirect="{{ $group->editUrl() }}"></dropdown-item>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-g59r-24g3-h7cmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-64112ghsaADVISORY
github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1nvdWEB
github.com/statamic/cms/releases/tag/v5.22.1ghsaWEB
github.com/statamic/cms/security/advisories/GHSA-g59r-24g3-h7cmnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.520
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000