VYPR
← All advisories
High severityNVD Advisory· Published Feb 11, 2026· Updated Feb 12, 2026

Statmatic affected by privilege escalation via stored cross-site scripting

CVE-2026-25759

Description

Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Malicious user must have an account with control panel access and content creation permissions. This vulnerability can be exploited to allow super admin accounts to be created. This has been fixed in 6.2.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Statmatic CMS content titles lets authenticated attackers with content creation privileges execute JavaScript in super admin browsers, enabling account takeover.

Vulnerability

Statmatic CMS versions 6.0.0 through 6.2.2 contain a stored cross-site scripting (XSS) vulnerability in content titles. The application fails to escape HTML in title fields, allowing injection of malicious scripts. [1]

Exploitation

An attacker must have an authenticated account with control panel access and content creation permissions. By crafting a title containing malicious JavaScript, the payload is stored and later executed when a higher-privileged user (such as a super admin) views the content. [1]

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the higher-privileged user's session, potentially creating new super admin accounts and gaining full control over the CMS. [1]

Mitigation

The vulnerability is fixed in Statmatic CMS version 6.2.3. The fix includes proper HTML escaping in the command palette component, preventing XSS. [2][3] Users should upgrade immediately.

References
  1. NVD - CVE-2026-25759
  2. [6.x] Escape html in command palette (#13825) · statamic/cms@6ed4f65
  3. Release v6.2.3 · statamic/cms

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
statamic/cmsPackagist
>= 6.0.0, < 6.2.36.2.3

Affected products

1
  • statamic/cmsv5
    Range: >= 6.0.0, < 6.2.3

Patches

1
6ed4f65f3387

[6.x] Escape html in command palette (#13825)

https://github.com/statamic/cmsJason VargaFeb 5, 2026via ghsa
commit
1 file changed · +18 17
  • resources/js/components/command-palette/CommandPalette.vue+18 17 modified
    @@ -12,6 +12,7 @@ import { motion } from 'motion-v';
 import { cva } from 'cva';
 import { Icon, Subheading } from '@/components/ui';
 import { router } from '@inertiajs/vue3';
+import { escapeHtml } from '@/bootstrap/globals.js';
 
 let metaPressed = ref(false);
 let open = ref(false);
@@ -74,35 +75,35 @@ const aggregatedItems = computed(() => [
     ...(searchResults.value || []),
 ]);
 
+function highlightResult(text) {
+    const classes = 'text-blue-600 dark:text-blue-400 underline underline-offset-4 decoration-blue-200 dark:decoration-blue-600/45';
+    const safeText = escapeHtml(text);
+    const result = fuzzysort.single(query.value, safeText);
+    return result?.highlight(`<span class="${classes}">`, '</span>') || safeText;
+}
+
 const results = computed(() => {
     let items = aggregatedItems.value.map(item => normalizeItem(item));
-    let filterableItems = items.filter(item => item.category !== 'Content Search');
-    const highlightClasses = 'text-blue-600 dark:text-blue-400 underline underline-offset-4 decoration-blue-200 dark:decoration-blue-600/45';
+    let filterableItems = items.filter(item => item.text && item.category !== 'Content Search');
 
     let filtered = fuzzysort
         .go(query.value, filterableItems, {
             all: true,
             keys: ['text'],
             scoreFn: fuzzysortScoringAlgorithm,
         })
-        .map(result => {
-            return {
-                score: result._score,
-                html: result[0].highlight(`<span class="${highlightClasses}">`, '</span>'),
-                ...result.obj,
-            };
-        });
+        .map(result => ({
+            score: result._score,
+            html: highlightResult(result.obj.text),
+            ...result.obj,
+        }));
 
 	let contentSearchResults = items
 		.filter(item => item.category === 'Content Search')
-		.map(item => {
-			let result = fuzzysort.single(query.value, item.text);
-
-			return {
-				...item,
-				html: result?.highlight(`<span class="${highlightClasses}">`, '</span>') || item.text,
-			};
-		});
+		.map(item => ({
+			...item,
+			html: highlightResult(item.text),
+		}));
 
     filtered = [...contentSearchResults, ...filtered];

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.