CVE-2025-64112

Impact

Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users.

This affects:

Control panel users with permission to create or edit Collections and Taxonomies
Versions up to and including 5.22.0

The vulnerability can be exploited to:

Change a super admin's password (versions ≤ 5.21.0)
Change a super admin's email address to initiate password reset (version 5.22.0)
Gain unauthorized access to superadmin accounts

The attack requires:

An authenticated user with control panel and content creation permissions
A super admin to view the compromised content

Patches

This has been fixed in 5.22.1.

Credits

Statamic thanks Wojtek Chwala for responsibly reporting the identified issues and working with us as we addressed them.

Published: Oct 30, 2025
Updated: Oct 31, 2025
CVE: CVE-2025-64112
GHSA: GHSA-g59r-24g3-h7cm
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
statamic / cms	-	5.22.1

Vulnerability Database

CVE-2025-64112

Impact

Patches

Credits

Deep Security Visibility Without the Complexity