Headline

GHSA-g59r-24g3-h7cm: Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation

Impact

Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.

This affects:

Control panel users with permission to create or edit Collections and Taxonomies
Versions up to and including 5.22.0

The vulnerability can be exploited to:

Change a super admin’s password (versions ≤ 5.21.0)
Change a super admin’s email address to initiate password reset (version 5.22.0)
Gain unauthorized access to superadmin accounts

The attack requires:

An authenticated user with control panel and content creation permissions
A super admin to view the compromised content

Patches

This has been fixed in 5.22.1.

Credits

Statamic thanks Wojtek Chwala for responsibly reporting the identified issues and working with us as we addressed them.

5 hours ago

ghsa

Open in Source

#xss #csrf #vulnerability #git #java #auth

GitHub Advisory Database
GitHub Reviewed
CVE-2025-64112

Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation

High severity GitHub Reviewed Published Oct 30, 2025 in statamic/cms • Updated Oct 30, 2025

Package

Affected versions

<= 5.22.0

Impact

This affects:

Control panel users with permission to create or edit Collections and Taxonomies
Versions up to and including 5.22.0

The vulnerability can be exploited to:

Change a super admin’s password (versions ≤ 5.21.0)
Change a super admin’s email address to initiate password reset (version 5.22.0)
Gain unauthorized access to superadmin accounts

The attack requires: