Skip to main content

Statamic CMS CVE-2026-41175

| EUVDEUVD-2026-25108 HIGH
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE-470)
2026-04-22 GitHub_M GHSA-4jjr-vmv7-wh4w
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

7
Patch released
Apr 27, 2026 - 19:26 nvd
Patch available
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Analysis Generated
Apr 23, 2026 - 06:56 vuln.today
Patch available
Apr 22, 2026 - 23:02 EUVD
EUVD ID Assigned
Apr 22, 2026 - 21:46 euvd
EUVD-2026-25108
Analysis Generated
Apr 22, 2026 - 21:46 vuln.today
CVE Published
Apr 22, 2026 - 21:25 nvd
HIGH 8.1

DescriptionGitHub Advisory

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel requires authentication with minimal permissions in order to exploit. e.g. "view entries" permission to delete entries, or "view users" permission to delete users, etc. The REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too. Sites that enable the REST or GraphQL API without authentication should treat patching as critical priority. This has been fixed in 5.73.20 and 6.13.0.

AnalysisAI

Mass deletion of content, assets, and user accounts in Statamic CMS versions prior to 5.73.20 and 6.13.0 occurs via query parameter manipulation on Control Panel endpoints (requiring minimal authentication like 'view entries' permission) or unauthenticated exploitation through REST/GraphQL APIs if explicitly enabled without authentication. Authenticated attackers with low-privilege viewer roles can escalate to delete resources they should only read. Unauthenticated attackers can exploit misconfigured API endpoints (non-default configuration) to achieve the same destructive impact. CVSS 8.1 (High) reflects network-accessible attack with low complexity, though exploitation conditions vary significantly by deployment configuration. No active exploitation confirmed (not in CISA KEV), EPSS data not provided.

Technical ContextAI

Statamic is a Laravel-based flat-file CMS (CPE: cpe:2.3:a:statamic:cms) that provides Control Panel UI, optional REST API, and optional GraphQL API for content management. The vulnerability is classified as CWE-470 (Use of Externally-Controlled Input to Select Classes or Code), indicating unsafe handling of user-supplied parameters in query strings or GraphQL arguments. The flaw allows HTTP parameter pollution or argument injection to bypass authorization checks that should enforce separation between read ('view') and write ('delete') operations. The Laravel framework's request handling and Statamic's permission middleware appear to improperly validate parameter-based resource identifiers or action selectors, allowing low-privilege authenticated users to invoke privileged deletion operations. The REST and GraphQL APIs, when enabled without authentication guards, expose the same vulnerable parameter handling to completely unauthenticated attackers.

RemediationAI

Upgrade immediately to Statamic CMS version 5.73.20 (for 5.x deployments) or 6.13.0 (for 6.x deployments) per vendor advisory at https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w. For sites that have enabled REST or GraphQL APIs, treat as emergency patch due to potential unauthenticated mass deletion exposure. If immediate patching is not possible, implement these compensating controls: (1) Disable REST API and GraphQL API endpoints entirely in config/statamic/api.php and config/statamic/graphql.php until patching completes-this eliminates unauthenticated attack vector with no functional loss if APIs are not actively used, though breaks any third-party integrations relying on these interfaces. (2) If APIs must remain active, enforce authentication by configuring guards in api.php and graphql.php middleware settings-requires application restart and testing of API client authentication flows. (3) Review Control Panel user permissions and apply least-privilege principle, downgrading viewer-role accounts that do not require delete capabilities-reduces authenticated attack surface but does not eliminate vulnerability. (4) Deploy web application firewall rules to detect and block suspicious patterns in query parameters targeting known Statamic endpoints (e.g., multiple 'id[]' parameters, unusual HTTP methods on read-only resources)-may generate false positives and requires tuning.

More in Cms

View all
CVE-2020-7357 CRITICAL POC
9.9 Aug 06

Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. Rated c

CVE-2012-4405 MEDIUM
6.8 Sep 18

Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (iccl

CVE-2021-47753 CRITICAL POC
9.8 Jan 15

phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. Po

CVE-2019-9874 CRITICAL POC
9.8 May 31

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 an

CVE-2019-9875 HIGH POC
8.8 May 31

Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to ex

CVE-2012-5894 HIGH POC
7.5 Nov 17

SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitr

CVE-2012-5893 MEDIUM POC
6.8 Nov 17

Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to e

CVE-2015-2083 MEDIUM POC
6.8 Feb 25

Cross-site request forgery (CSRF) vulnerability in Ilch CMS allows remote attackers to hijack the authentication of admi

CVE-2012-5919 MEDIUM POC
4.3 Nov 19

Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbit

CVE-2025-5429 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

CVE-2025-5428 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

CVE-2025-5427 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

Share

CVE-2026-41175 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy