GHSA-ff9r-ww9c-43x8

Source

https://github.com/advisories/GHSA-ff9r-ww9c-43x8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-ff9r-ww9c-43x8/GHSA-ff9r-ww9c-43x8.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-ff9r-ww9c-43x8

Aliases

CVE-2026-25759

Published

2026-02-11T18:17:58Z

Modified

2026-02-11T23:18:56.061255Z

Severity

8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Summary

Statamic CMS vulnerable to privilege escalation via stored cross-site scripting

Details

Impact

Stored XSS vulnerability in content titles allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.

Malicious user must have an account with control panel access and content creation permissions.

This vulnerability can be exploited to allow super admin accounts to be created.

Patches

This has been fixed in 6.2.3.

Database specific

{
    "github_reviewed_at": "2026-02-11T18:17:58Z",
    "github_reviewed": true,
    "nvd_published_at": "2026-02-11T21:16:19Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH"
}

References

Affected packages

Packagist / statamic/cms

Package

Name: statamic/cms
Purl: pkg:composer/statamic/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.2.3

Affected versions

v6.*

v6.0.0

v6.1.0

v6.2.0

v6.2.1

v6.2.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-ff9r-ww9c-43x8/GHSA-ff9r-ww9c-43x8.json"