CVE-2026-41175: CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') in statamic cms
CVE-2026-41175 is a high-severity vulnerability in Statamic CMS versions prior to 5. 73. 20 and 6. 13. 0 involving unsafe reflection (CWE-470). It allows manipulation of query parameters on Control Panel and REST API endpoints or GraphQL queries to delete content, assets, and user accounts. Exploitation via the Control Panel requires authentication with minimal permissions, while REST and GraphQL API exploitation requires these APIs to be explicitly enabled without authentication. The vulnerability has been fixed in versions 5. 73. 20 and 6.
AI Analysis
Technical Summary
Statamic CMS versions before 5.73.20 and 6.13.0 contain an unsafe reflection vulnerability (CWE-470) that can be exploited by manipulating query parameters in Control Panel, REST API, or GraphQL endpoints. The Control Panel attack vector requires authenticated users with minimal permissions such as 'view entries' or 'view users' to delete respective resources. The REST and GraphQL API vectors do not require authentication but these APIs are disabled by default and must be explicitly enabled without authentication for exploitation. Successful exploitation can lead to deletion of content, assets, and user accounts. The vulnerability has been addressed in Statamic versions 5.73.20 and 6.13.0.
Potential Impact
Exploitation can result in unauthorized deletion of content, assets, and user accounts within the Statamic CMS. Control Panel exploitation requires minimal authenticated permissions, while REST and GraphQL API exploitation requires these APIs to be enabled without authentication. This can cause significant data loss and disruption of CMS operations.
Mitigation Recommendations
Upgrade Statamic CMS to version 5.73.20 or later, or 6.13.0 or later, where this vulnerability is fixed. Sites that enable the REST or GraphQL APIs without authentication should prioritize patching immediately. If REST or GraphQL APIs are not enabled or are properly secured with authentication, the risk is significantly reduced. No other specific mitigations are indicated.
CVE-2026-41175: CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') in statamic cms
Description
CVE-2026-41175 is a high-severity vulnerability in Statamic CMS versions prior to 5. 73. 20 and 6. 13. 0 involving unsafe reflection (CWE-470). It allows manipulation of query parameters on Control Panel and REST API endpoints or GraphQL queries to delete content, assets, and user accounts. Exploitation via the Control Panel requires authentication with minimal permissions, while REST and GraphQL API exploitation requires these APIs to be explicitly enabled without authentication. The vulnerability has been fixed in versions 5. 73. 20 and 6.
CVSS v3.1
Score 8.1high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Statamic CMS versions before 5.73.20 and 6.13.0 contain an unsafe reflection vulnerability (CWE-470) that can be exploited by manipulating query parameters in Control Panel, REST API, or GraphQL endpoints. The Control Panel attack vector requires authenticated users with minimal permissions such as 'view entries' or 'view users' to delete respective resources. The REST and GraphQL API vectors do not require authentication but these APIs are disabled by default and must be explicitly enabled without authentication for exploitation. Successful exploitation can lead to deletion of content, assets, and user accounts. The vulnerability has been addressed in Statamic versions 5.73.20 and 6.13.0.
Potential Impact
Exploitation can result in unauthorized deletion of content, assets, and user accounts within the Statamic CMS. Control Panel exploitation requires minimal authenticated permissions, while REST and GraphQL API exploitation requires these APIs to be enabled without authentication. This can cause significant data loss and disruption of CMS operations.
Mitigation Recommendations
Upgrade Statamic CMS to version 5.73.20 or later, or 6.13.0 or later, where this vulnerability is fixed. Sites that enable the REST or GraphQL APIs without authentication should prioritize patching immediately. If REST or GraphQL APIs are not enabled or are properly secured with authentication, the risk is significantly reduced. No other specific mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-17T16:34:45.526Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e9419f19fe3cd2cdf48808
Added to database: 4/22/2026, 9:46:07 PM
Last enriched: 4/30/2026, 8:13:43 AM
Last updated: 6/5/2026, 10:44:39 PM
Views: 103
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.