CVE-2026-41175: CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') in statamic cms
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel requires authentication with minimal permissions in order to exploit. e.g. "view entries" permission to delete entries, or "view users" permission to delete users, etc. The REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too. Sites that enable the REST or GraphQL API without authentication should treat patching as critical priority. This has been fixed in 5.73.20 and 6.13.0.
AI Analysis
Technical Summary
CVE-2026-41175 is an unsafe reflection vulnerability in Statamic CMS that allows attackers to manipulate externally controlled input to select classes or code, leading to unauthorized deletion of content, assets, and user accounts. The vulnerability affects versions before 5.73.20 and 6.13.0. Exploitation through the Control Panel requires authenticated users with minimal permissions such as 'view entries' or 'view users'. Exploitation through REST or GraphQL APIs requires these interfaces to be enabled without authentication, which is not the default configuration. The vulnerability is addressed in Statamic CMS versions 5.73.20 and 6.13.0.
Potential Impact
Successful exploitation can result in the loss of content, assets, and user accounts. The impact includes high integrity and availability damage but no confidentiality loss is indicated. The Control Panel attack vector requires minimal authenticated permissions, while REST and GraphQL API vectors require insecure configuration (enabled without authentication).
Mitigation Recommendations
A fix is available in Statamic CMS versions 5.73.20 and 6.13.0. Users should upgrade to these versions or later. Sites that enable REST or GraphQL APIs without authentication should prioritize patching as critical. If REST or GraphQL APIs are not enabled or are properly secured with authentication, the risk is significantly reduced.
CVE-2026-41175: CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') in statamic cms
Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel requires authentication with minimal permissions in order to exploit. e.g. "view entries" permission to delete entries, or "view users" permission to delete users, etc. The REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too. Sites that enable the REST or GraphQL API without authentication should treat patching as critical priority. This has been fixed in 5.73.20 and 6.13.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41175 is an unsafe reflection vulnerability in Statamic CMS that allows attackers to manipulate externally controlled input to select classes or code, leading to unauthorized deletion of content, assets, and user accounts. The vulnerability affects versions before 5.73.20 and 6.13.0. Exploitation through the Control Panel requires authenticated users with minimal permissions such as 'view entries' or 'view users'. Exploitation through REST or GraphQL APIs requires these interfaces to be enabled without authentication, which is not the default configuration. The vulnerability is addressed in Statamic CMS versions 5.73.20 and 6.13.0.
Potential Impact
Successful exploitation can result in the loss of content, assets, and user accounts. The impact includes high integrity and availability damage but no confidentiality loss is indicated. The Control Panel attack vector requires minimal authenticated permissions, while REST and GraphQL API vectors require insecure configuration (enabled without authentication).
Mitigation Recommendations
A fix is available in Statamic CMS versions 5.73.20 and 6.13.0. Users should upgrade to these versions or later. Sites that enable REST or GraphQL APIs without authentication should prioritize patching as critical. If REST or GraphQL APIs are not enabled or are properly secured with authentication, the risk is significantly reduced.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-17T16:34:45.526Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e9419f19fe3cd2cdf48808
Added to database: 4/22/2026, 9:46:07 PM
Last enriched: 4/22/2026, 10:01:05 PM
Last updated: 4/22/2026, 11:37:18 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.