Tools: CVE-2026-25759: Command Pwned: Stored XSS in Statamic's Command Palette

Command Pwned: Stored XSS in Statamic's Command Palette ## ⚠️ Exploit Status: POC ## Technical Details ## Affected Systems ## Code Analysis ## Commit: 6ed4f65 ## Exploit Details ## Mitigation Strategies ## References Vulnerability ID: CVE-2026-25759 CVSS Score: 8.7 Published: 2026-02-11 A critical Stored Cross-Site Scripting (XSS) vulnerability in Statamic CMS allows authenticated content editors to inject malicious JavaScript into the global Command Palette. When a Super Admin searches for content, the payload executes, leading to potential account takeover and Remote Code Execution (RCE). Low-privileged editors can name an article with a malicious XSS payload. When a Super Admin opens the Command Palette (Cmd+K) and searches for it, the script runs. This grants the attacker full admin access. Escape HTML in Command Palette Read the full report for CVE-2026-25759 on our website for more details including interactive diagrams and full exploit analysis. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to ? It will become hidden in your post, but will still be visible via the comment's permalink. as well , this person and/or CODE_BLOCK: import { escapeHtml } from '@/bootstrap/globals.js'; ... - html: result[0].highlight(`<span class="${highlightClasses}">`, '</span>'), + html: highlightResult(result[0]), CODE_BLOCK: import { escapeHtml } from '@/bootstrap/globals.js'; ... - html: result[0].highlight(`<span class="${highlightClasses}">`, '</span>'), + html: highlightResult(result[0]), CODE_BLOCK: import { escapeHtml } from '@/bootstrap/globals.js'; ... - html: result[0].highlight(`<span class="${highlightClasses}">`, '</span>'), + html: highlightResult(result[0]), - CVE ID: CVE-2026-25759 - CVSS v3.1: 8.7 (High) - CWE: CWE-79 (Cross-site Scripting) - Attack Vector: Network (Stored) - Privileges Required: Low (Editor) - User Interaction: Required (Search Trigger) - Patch Status: Fixed in v6.2.3 - Statamic CMS 6.0.0 - Statamic CMS 6.0.x - Statamic CMS 6.1.x - Statamic CMS 6.2.0 - Statamic CMS 6.2.1 - Statamic CMS 6.2.2 - Statamic CMS: >= 6.0.0, < 6.2.3 (Fixed in: 6.2.3) - Manual Analysis: PoC derived from patch diff: Inject script into entry title, trigger via Command Palette search. - Update Statamic CMS to version 6.2.3 or higher. - Implement a strict Content Security Policy (CSP) to block inline scripts. - Audit all user accounts with Super Admin privileges. - Run composer update statamic/cms in your project root. - Verify the version with php please version. - Clear the view cache using php artisan view:clear and php artisan cache:clear. - GHSA-ff9r-ww9c-43x8