CVE-2026-41175 | Statamic CMS up to 5.73.19/6.12.x REST API Endpoint externally-controlled input to select classes or code (GHSA-4jjr-vmv7-wh4w)
VulDBArchived Apr 23, 2026✓ Full text saved
A vulnerability described as problematic has been identified in Statamic CMS up to 5.73.19/6.12.x . The affected element is an unknown function of the component REST API Endpoint . The manipulation results in use of externally-controlled input to select classes or code. This vulnerability is reported as CVE-2026-41175 . The attack can be launched remotely. No exploit exists. Upgrading the affected component is recommended.
Full text archived locally
✦ AI Summary· Claude Sonnet
VDB-359113 · CVE-2026-41175 · GHSA-4JJR-VMV7-WH4W
STATAMIC CMS UP TO 5.73.19/6.12.X REST API ENDPOINT EXTERNALLY-CONTROLLED INPUT TO SELECT CLASSES OR CODE
HISTORYDIFFRELATEJSONXMLCTI
CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score
6.6 $0-$5k 2.36+
Summaryinfo
A vulnerability classified as problematic has been found in Statamic CMS up to 5.73.19/6.12.x. The impacted element is an unknown function of the component REST API Endpoint. This manipulation causes use of externally-controlled input to select classes or code. This vulnerability appears as CVE-2026-41175. The attack may be initiated remotely. There is no available exploit. It is recommended to upgrade the affected component.
Detailsinfo
A vulnerability has been found in Statamic CMS up to 5.73.19/6.12.x and classified as problematic. Affected by this vulnerability is some unknown processing of the component REST API Endpoint. The manipulation with an unknown input leads to a use of externally-controlled input to select classes or code vulnerability. The CWE definition for the vulnerability is CWE-470. The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. As an impact it is known to affect integrity, and availability. The summary by CVE is:
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel requires authentication with minimal permissions in order to exploit. e.g. "view entries" permission to delete entries, or "view users" permission to delete users, etc. The REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too. Sites that enable the REST or GraphQL API without authentication should treat patching as critical priority. This has been fixed in 5.73.20 and 6.13.0.
The advisory is shared at github.com. This vulnerability is known as CVE-2026-41175 since 04/17/2026. The exploitation appears to be easy. The attack can be launched remotely. Neither technical details nor an exploit are publicly available.
Upgrading to version 5.73.20 or 6.13.0 eliminates this vulnerability.
Productinfo
Type
Content Management System
Vendor
Statamic
Name
CMS
Version
5.73.0
5.73.1
5.73.2
5.73.3
5.73.4
5.73.5
5.73.6
5.73.7
5.73.8
5.73.9
5.73.10
5.73.11
5.73.12
5.73.13
5.73.14
5.73.15
5.73.16
5.73.17
5.73.18
5.73.19
6.0
6.1
6.2
6.3
6.4
6.5
6.6
6.7
6.8
6.9
6.10
6.11
6.12
Website
Product: https://github.com/statamic/cms/
CPE 2.3info
🔒
🔒
🔒
CPE 2.2info
🔒
🔒
🔒
CVSSv4info
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv3info
VulDB Meta Base Score: 6.7
VulDB Meta Temp Score: 6.6
VulDB Base Score: 5.4
VulDB Temp Score: 5.2
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA Base Score: 8.1
CNA Vector (GitHub_M): 🔒
CVSSv2info
Vector Complexity Authentication Confidentiality Integrity Availability
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploitinginfo
Class: Use of externally-controlled input to select classes or code
CWE: CWE-470
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
Price Prediction: 🔍
Current Price Estimation: 🔒
0-Day Unlock Unlock Unlock Unlock
Today Unlock Unlock Unlock Unlock
Threat Intelligenceinfo
Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍
Countermeasuresinfo
Recommended: Upgrade
Status: 🔍
0-Day Time: 🔒
Upgrade: CMS 5.73.20/6.13.0
Timelineinfo
04/17/2026 CVE reserved
04/23/2026 +6 days Advisory disclosed
04/23/2026 +0 days VulDB entry created
04/23/2026 +0 days VulDB entry last update
Sourcesinfo
Product: github.com
Advisory: GHSA-4jjr-vmv7-wh4w
Status: Confirmed
CVE: CVE-2026-41175 (🔒)
GCVE (CVE): GCVE-0-2026-41175
GCVE (VulDB): GCVE-100-359113
Entryinfo
Created: 04/23/2026 07:20
Changes: 04/23/2026 07:20 (65)
Complete: 🔍
Cache ID: 99:082:101
Discussion
No comments yet. Languages: en.
Please log in to comment.
◂ PreviousOverviewNext ▸