CVE-2025-64112 Overview
CVE-2025-64112 is a stored Cross-Site Scripting (XSS) vulnerability in Statamic, a Laravel and Git-powered content management system (CMS). The flaw resides in the Collections and Taxonomies features, where authenticated users with content creation permissions can inject malicious JavaScript. The payload executes in the browser of higher-privileged users who view the affected content, enabling session theft, privilege escalation, or arbitrary actions within the Statamic control panel. The issue is tracked under [CWE-79] and is fixed in Statamic CMS version 5.22.1.
Critical Impact
An authenticated low-privilege user can hijack administrator sessions and pivot to full CMS compromise through stored JavaScript payloads rendered in Collection and Taxonomy titles.
Affected Products
- Statamic CMS versions prior to 5.22.1
- Statamic Collections module (control panel views)
- Statamic Taxonomies and Forms modules (control panel views)
Discovery Timeline
- 2025-10-30 - CVE-2025-64112 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-64112
Vulnerability Analysis
The vulnerability is a stored XSS flaw in the Statamic control panel. Authenticated users with permission to create or edit Collections, Taxonomies, or Forms can embed JavaScript inside title fields. When a higher-privileged user, such as an administrator, navigates to the affected view, the unescaped title renders in the Document Object Model (DOM) and executes attacker-controlled script. Because the script runs inside the authenticated control panel context, attackers can issue API requests, modify content, create new admin accounts, or exfiltrate session cookies. The Network attack vector and user interaction requirement reflect that exploitation depends on a privileged user loading the malicious page.
Root Cause
The root cause is improper output encoding in Blade templates. Title strings retrieved from Collections, Taxonomies, and Forms were passed through Laravel's __() translation helper inside {{ }} echo tags. While Blade auto-escapes by default, the patch indicates the rendering path allowed Vue.js template compilation to interpret the content, enabling expression injection via Vue directives.
Attack Vector
An attacker with low-privilege authenticated access creates or edits a Collection, Taxonomy, or Form and injects a payload into the title field. When an administrator opens the corresponding control panel view, the embedded payload executes with the administrator's session privileges.
// Patch: resources/views/collections/empty.blade.php
'url' => cp_route('collections.index'),
'title' => __('Collections')
])
- <h1>{{ __($collection->title()) }}</h1>
+ <h1 v-pre>{{ __($collection->title()) }}</h1>
</header>
<div class="card p-4 content">
// Patch: resources/views/forms/show.blade.php
'title' => __('Forms')
])
<div class="flex items-center">
- <h1 class="flex-1">
+ <h1 v-pre class="flex-1">
{{ __($form->title()) }}
</h1>
Source: Statamic CMS commit e513751. The fix adds the Vue v-pre directive, instructing Vue to skip compilation of the element and its children, preventing interpretation of injected Vue expressions or templates inside the title.
Detection Methods for CVE-2025-64112
Indicators of Compromise
- Collection, Taxonomy, or Form titles containing HTML tags, <script> blocks, or Vue directives such as v-html, v-on:, or mustache expressions {{ }}.
- Unexpected administrative actions — new users, role changes, or content edits — performed shortly after a privileged user accessed the control panel.
- Outbound requests from administrator browsers to unfamiliar domains immediately after control panel navigation.
Detection Strategies
- Review the Statamic content store (Git history of content/collections, content/taxonomies, and form configuration YAML files) for title fields containing script payloads or template syntax.
- Inspect web server access logs for POST requests to /cp/collections, /cp/taxonomies, and /cp/forms endpoints made by non-admin users, correlated with subsequent admin GET requests.
- Enable Content Security Policy (CSP) violation reporting to surface inline script execution attempts in the control panel.
Monitoring Recommendations
- Monitor Git commits to the Statamic content repository for unusual payloads in title fields authored by low-privilege editors.
- Alert on creation of new Statamic admin users or permission changes that follow recent content edits by lower-privileged accounts.
- Track anomalous browser-originated API calls from administrator sessions, such as bulk content modification or user management requests.
How to Mitigate CVE-2025-64112
Immediate Actions Required
- Upgrade Statamic CMS to version 5.22.1 or later, which applies the v-pre sanitization fix to affected Blade templates.
- Audit all existing Collections, Taxonomies, and Forms for titles containing HTML or template syntax and sanitize them before upgrading.
- Review the Statamic user roster and revoke content creation permissions for accounts that do not require them.
Patch Information
The vulnerability is fixed in Statamic CMS 5.22.1. The patch, committed as e513751f433679ce698606e20c554a0c839987c1, adds the Vue v-pre directive to <h1> elements in resources/views/collections/empty.blade.php, resources/views/forms/show.blade.php, and related views. Full details are available in the Statamic GHSA-g59r-24g3-h7cm advisory.
Workarounds
- Restrict Collection, Taxonomy, and Form creation and edit permissions to fully trusted users until the patch is applied.
- Deploy a strict Content Security Policy on the /cp control panel route to block inline script execution and unauthorized script sources.
- Apply a temporary template override that adds the v-pre directive to the affected <h1> elements in the control panel views.
# Upgrade Statamic to the patched release
composer require statamic/cms:^5.22.1
php artisan view:clear
php artisan cache:clear
# Verify installed version
php artisan statamic:version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
