Command Pwned: Stored XSS in Statamic's Command Palette
Vulnerability ID: CVE-2026-25759
CVSS Score: 8.7
Published: 2026-02-11
A critical Stored Cross-Site Scripting (XSS) vulnerability in Statamic CMS allows authenticated content editors to inject malicious JavaScript into the global Command Palette. When a Super Admin searches for content, the payload executes, leading to potential account takeover and Remote Code Execution (RCE).
TL;DR
Low-privileged editors can name an article with a malicious XSS payload. When a Super Admin opens the Command Palette (Cmd+K) and searches for it, the script runs. This grants the attacker full admin access.
⚠️ Exploit Status: POC
Technical Details
- CVE ID: CVE-2026-25759
- CVSS v3.1: 8.7 (High)
- CWE: CWE-79 (Cross-site Scripting)
- Attack Vector: Network (Stored)
- Privileges Required: Low (Editor)
- User Interaction: Required (Search Trigger)
- Patch Status: Fixed in v6.2.3
Affected Systems
- Statamic CMS 6.0.0
- Statamic CMS 6.0.x
- Statamic CMS 6.1.x
- Statamic CMS 6.2.0
- Statamic CMS 6.2.1
- Statamic CMS 6.2.2
-
Statamic CMS: >= 6.0.0, < 6.2.3 (Fixed in:
6.2.3)
Code Analysis
Commit: 6ed4f65
Escape HTML in Command Palette
import { escapeHtml } from '@/bootstrap/globals.js';
...
- html: result[0].highlight(`<span class="${highlightClasses}">`, '</span>'),
+ html: highlightResult(result[0]),
Exploit Details
- Manual Analysis: PoC derived from patch diff: Inject script into entry title, trigger via Command Palette search.
Mitigation Strategies
- Update Statamic CMS to version 6.2.3 or higher.
- Implement a strict Content Security Policy (CSP) to block inline scripts.
- Audit all user accounts with Super Admin privileges.
Remediation Steps:
- Run
composer update statamic/cmsin your project root. - Verify the version with
php please version. - Clear the view cache using
php artisan view:clearandphp artisan cache:clear.
References
Read the full report for CVE-2026-25759 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)