import { escapeHtml } from '@/bootstrap/globals.js'; ... - html: result[0].highlight(`<span class="${highlightClasses}">`, '</span>'), + html: highlightResult(result[0]), CODE_BLOCK: import { escapeHtml } from '@/bootstrap/globals.js'; ... - html: result[0].highlight(`<span class="${highlightClasses}">`, '</span>'), + html: highlightResult(result[0]), CODE_BLOCK: import { escapeHtml } from '@/bootstrap/globals.js'; ... - html: result[0].highlight(`<span class="${highlightClasses}">`, '</span>'), + html: highlightResult(result[0]),
- CVE ID: CVE-2026-25759
- CVSS v3.1: 8.7 (High)
- CWE: CWE-79 (Cross-site Scripting)
- Attack Vector: Network (Stored)
- Privileges Required: Low (Editor)
- User Interaction: Required (Search Trigger)
- Patch Status: Fixed in v6.2.3
- Statamic CMS 6.0.0
- Statamic CMS 6.0.x
- Statamic CMS 6.1.x
- Statamic CMS 6.2.0
- Statamic CMS 6.2.1
- Statamic CMS 6.2.2
- Statamic CMS: >= 6.0.0, < 6.2.3 (Fixed in: 6.2.3)
- Manual Analysis: PoC derived from patch diff: Inject script into entry title, trigger via Command Palette search.
- Update Statamic CMS to version 6.2.3 or higher.
- Implement a strict Content Security Policy (CSP) to block inline scripts.
- Audit all user accounts with Super Admin privileges.
- Run composer update statamic/cms in your project root.
- Verify the version with php please version.
- Clear the view cache using php artisan view:clear and php artisan cache:clear.
- GHSA-ff9r-ww9c-43x8
