Stored XSS Vulnerability in Statamic Content Management System by Statamic

CVE-2025-64112

What is CVE-2025-64112?

CVE-2025-64112 is a stored cross-site scripting (XSS) vulnerability found in the Statamic Content Management System (CMS), a platform built using the Laravel framework and Git. This vulnerability arises from the way Collections and Taxonomies handle user-generated content, allowing authenticated users with the necessary content creation permissions to inject harmful JavaScript code. Such injections pose significant risks as the malicious code executes when viewed by users with elevated privileges, potentially compromising their accounts and the integrity of the CMS. Organizations utilizing Statamic may face severe risks if this vulnerability is exploited, leading to unauthorized access, data manipulation, and damage to their reputations.

Potential impact of CVE-2025-64112

1. Unauthorized Access: This vulnerability allows attackers to run malicious scripts that can hijack sessions or impersonate higher-privileged users, leading to unauthorized access to sensitive information within the CMS.

2. Data Manipulation: With the ability to inject scripts, attackers can alter or corrupt stored data, affecting the reliability of information managed through the Statamic system and potentially leading to significant operational disruptions.

3. Reputation Damage: The successful exploitation of this vulnerability can have long-lasting effects on an organization’s reputation, especially if sensitive user data is compromised or if the integrity of public-facing content is undermined.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References