CVE-2026-41175
Published: 22 April 2026
Summary
CVE-2026-41175 is a high-severity Unsafe Reflection (CWE-470) vulnerability in Statamic Statamic. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates externally-controlled query parameters, REST API inputs, and GraphQL arguments to prevent manipulation resulting in unauthorized deletions.
Ensures timely remediation of the specific flaw in Statamic CMS by patching to versions 5.73.20 or 6.13.0, eliminating the vulnerability.
Enforces least privilege to restrict low-permission Control Panel users from performing destructive actions even if input manipulation occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Statamic CMS enables exploitation via parameter manipulation on Control Panel/API/GraphQL endpoints for unauthorized deletion of content/assets (T1190 + T1485) and user accounts (T1531).
NVD Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets,…
more
and user accounts. The Control Panel requires authentication with minimal permissions in order to exploit. e.g. "view entries" permission to delete entries, or "view users" permission to delete users, etc. The REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too. Sites that enable the REST or GraphQL API without authentication should treat patching as critical priority. This has been fixed in 5.73.20 and 6.13.0.
Deeper analysisAI
CVE-2026-41175 is a vulnerability in Statamic, a Laravel and Git-powered content management system (CMS), affecting versions prior to 5.73.20 and 6.13.0. It stems from CWE-470 (Use of Externally-Controlled Input to Select Classes or Code) and allows attackers to manipulate query parameters on Control Panel endpoints, REST API endpoints, or arguments in GraphQL queries. This manipulation can result in the deletion of content, assets, and user accounts. The issue has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on integrity and availability.
Attackers can exploit this vulnerability in different ways depending on the endpoint. For Control Panel endpoints, an authenticated user with minimal permissions—such as "view entries" to delete entries or "view users" to delete users—can perform destructive actions remotely. REST API and GraphQL exploits require no permissions or authentication but are not enabled by default; they demand explicit configuration without authentication and enabling specific resources. Successful exploitation leads to unauthorized deletion of site content, assets, and user accounts.
The Statamic security advisory at https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w details the fix in versions 5.73.20 and 6.13.0. Sites enabling REST or GraphQL APIs without authentication should prioritize patching as critical, while others should update promptly to mitigate risks from low-privilege Control Panel users.
Details
- CWE(s)