PT-2026-34571 · Statamic · Statamic

Joshuaalwin

Published

2026-04-16

Updated

2026-04-23

CVE-2026-41175

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.20 Statamic versions prior to 6.13.0

Description Manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, can lead to the loss of content, assets, and user accounts. Exploitation via the Control Panel requires authentication with minimal permissions, such as the "view entries" permission to delete entries or the "view users" permission to delete users. Exploits targeting the REST and GraphQL APIs do not require permissions, but these APIs are not enabled by default; they must be explicitly enabled without authentication and with specific resources accessible to be exploited.

Recommendations Update to version 5.73.20 Update to version 6.13.0

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-470

Related Identifiers

CVE-2026-41175

GHSA-4JJR-VMV7-WH4W

Affected Products

Statamic

PT-2026-34571 · Statamic · Statamic

CVE-2026-41175

Weakness Enumeration

Related Identifiers

Affected Products

References · 5