Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel requires authentication with minimal permissions in order to exploit. e.g. "view entries" permission to delete entries, or "view users" permission to delete users, etc. The REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too. Sites that enable the REST or GraphQL API without authentication should treat patching as critical priority. This has been fixed in 5.73.20 and 6.13.0.
AnalysisAI
Mass deletion of content, assets, and user accounts in Statamic CMS versions prior to 5.73.20 and 6.13.0 occurs via query parameter manipulation on Control Panel endpoints (requiring minimal authentication like 'view entries' permission) or unauthenticated exploitation through REST/GraphQL APIs if explicitly enabled without authentication. Authenticated attackers with low-privilege viewer roles can escalate to delete resources they should only read. Unauthenticated attackers can exploit misconfigured API endpoints (non-default configuration) to achieve the same destructive impact. CVSS 8.1 (High) reflects network-accessible attack with low complexity, though exploitation conditions vary significantly by deployment configuration. No active exploitation confirmed (not in CISA KEV), EPSS data not provided.
Technical ContextAI
Statamic is a Laravel-based flat-file CMS (CPE: cpe:2.3:a:statamic:cms) that provides Control Panel UI, optional REST API, and optional GraphQL API for content management. The vulnerability is classified as CWE-470 (Use of Externally-Controlled Input to Select Classes or Code), indicating unsafe handling of user-supplied parameters in query strings or GraphQL arguments. The flaw allows HTTP parameter pollution or argument injection to bypass authorization checks that should enforce separation between read ('view') and write ('delete') operations. The Laravel framework's request handling and Statamic's permission middleware appear to improperly validate parameter-based resource identifiers or action selectors, allowing low-privilege authenticated users to invoke privileged deletion operations. The REST and GraphQL APIs, when enabled without authentication guards, expose the same vulnerable parameter handling to completely unauthenticated attackers.
RemediationAI
Upgrade immediately to Statamic CMS version 5.73.20 (for 5.x deployments) or 6.13.0 (for 6.x deployments) per vendor advisory at https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w. For sites that have enabled REST or GraphQL APIs, treat as emergency patch due to potential unauthenticated mass deletion exposure. If immediate patching is not possible, implement these compensating controls: (1) Disable REST API and GraphQL API endpoints entirely in config/statamic/api.php and config/statamic/graphql.php until patching completes-this eliminates unauthenticated attack vector with no functional loss if APIs are not actively used, though breaks any third-party integrations relying on these interfaces. (2) If APIs must remain active, enforce authentication by configuring guards in api.php and graphql.php middleware settings-requires application restart and testing of API client authentication flows. (3) Review Control Panel user permissions and apply least-privilege principle, downgrading viewer-role accounts that do not require delete capabilities-reduces authenticated attack surface but does not eliminate vulnerability. (4) Deploy web application firewall rules to detect and block suspicious patterns in query parameters targeting known Statamic endpoints (e.g., multiple 'id[]' parameters, unusual HTTP methods on read-only resources)-may generate false positives and requires tuning.
Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. Rated c
Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (iccl
phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. Po
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 an
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to ex
SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitr
Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to e
Cross-site request forgery (CSRF) vulnerability in Ilch CMS allows remote attackers to hijack the authentication of admi
Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbit
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25108
GHSA-4jjr-vmv7-wh4w