Tools: CVE-2026-25759: Command Pwned: Stored XSS in Statamic's Command Palette

Command Pwned: Stored XSS in Statamic's Command Palette ## ⚠️ Exploit Status: POC ## Technical Details ## Affected Systems ## Code Analysis ## Commit: 6ed4f65 ## Exploit Details ## Mitigation Strategies ## References Vulnerability ID: CVE-2026-25759 CVSS Score: 8.7 Published: 2026-02-11 A critical Stored Cross-Site Scripting (XSS) vulnerability in Statamic CMS allows authenticated content editors to inject malicious JavaScript into the global Command Palette. When a Super Admin searches for content, the payload executes, leading to potential account takeover and Remote Code Execution (RCE). Low-privileged editors can name an article with a malicious XSS payload. When a Super Admin opens the Command Palette (Cmd+K) and searches for it, the script runs. This grants the attacker full admin access. Escape HTML in Command Palette Read the full report for CVE-2026-25759 on our website for more details including interactive diagrams and full exploit analysis. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse CODE_BLOCK: import { escapeHtml } from '@/bootstrap/globals.js'; ... - html: result[0].highlight(`<span class="${highlightClasses}">`, '</span>'), + html: highlightResult(result[0]), Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: import { escapeHtml } from '@/bootstrap/globals.js'; ... - html: result[0].highlight(`<span class="${highlightClasses}">`, '</span>'), + html: highlightResult(result[0]), CODE_BLOCK: import { escapeHtml } from '@/bootstrap/globals.js'; ... - html: result[0].highlight(`<span class="${highlightClasses}">`, '</span>'), + html: highlightResult(result[0]), - CVE ID: CVE-2026-25759 - CVSS v3.1: 8.7 (High) - CWE: CWE-79 (Cross-site Scripting) - Attack Vector: Network (Stored) - Privileges Required: Low (Editor) - User Interaction: Required (Search Trigger) - Patch Status: Fixed in v6.2.3 - Statamic CMS 6.0.0 - Statamic CMS 6.0.x - Statamic CMS 6.1.x - Statamic CMS 6.2.0 - Statamic CMS 6.2.1 - Statamic CMS 6.2.2 - Statamic CMS: >= 6.0.0, < 6.2.3 (Fixed in: 6.2.3) - Manual Analysis: PoC derived from patch diff: Inject script into entry title, trigger via Command Palette search. - Update Statamic CMS to version 6.2.3 or higher. - Implement a strict Content Security Policy (CSP) to block inline scripts. - Audit all user accounts with Super Admin privileges. - Run composer update statamic/cms in your project root. - Verify the version with php please version. - Clear the view cache using php artisan view:clear and php artisan cache:clear. - GHSA-ff9r-ww9c-43x8