Listen to this Post
This vulnerability, currently tracked under GitHub Security Advisory GHSA-4jjr-vmv7-wh4w, affects Statamic CMS, a popular Laravel‑based content management system. It stems from how the CMS resolves query parameters, REST API arguments, and GraphQL query fields. In essence, the system does not properly sanitize or validate these inputs before using them in method calls. An attacker can craft malicious query parameters, REST API arguments, or GraphQL queries to trigger unintended method invocations. For example, supplying a specially crafted `?delete=true` parameter might cause the deletion of an entry or asset. The root cause is a missing or insufficient authorization layer that fails to distinguish between read and destructive actions when processing these inputs. This flaw is particularly dangerous because it can be exploited with minimal permissions in the Control Panel (e.g., a user with only “view entries” can delete them) and with no permissions at all if the REST or GraphQL APIs are enabled without authentication. The impact is severe: loss of content, assets, and even entire user accounts. The vulnerability is fixed in Statamic versions 5.73.20 and 6.13.0. Sites that expose the REST or GraphQL API without authentication should treat patching as a critical priority.
DailyCVE Form
Platform: Statamic CMS
Version: <5.73.20 & <6.13.0
Vulnerability: Unsafe method invocation via query value resolution (CWE‑94 / CWE‑20)
Severity: Critical
Date: 2026‑04‑16
Prediction: Patches already available in 5.73.20 / 6.13.0 (April 16, 2026)
Analytics under heading What Undercode Say:
The following bash commands can be used to check for vulnerable Statamic installations and to test for the query‑parameter injection flaw:
Check Statamic version
php artisan statamic:version
Search for vulnerable Statamic versions in a project
grep -E '"version": "(5.[0-9]+.[0-9]+|6.[0-9]+.[0-9]+)"' composer.json
Test for query‑parameter injection on a Control Panel endpoint
curl -X GET "https://target.com/cp/entries?delete=1&id=123"
Test for GraphQL injection (if GraphQL is enabled)
curl -X POST "https://target.com/graphql" -H "Content-Type: application/json" -d '{"query":"mutation { deleteEntry(id: 123) }"}'
Exploit:
An attacker with a valid Control Panel account (or no account if the API is exposed) can craft a simple HTTP request to any vulnerable endpoint. For instance, to delete an entry, the attacker might send:
GET /cp/entries?delete=1&id=456 HTTP/1.1 Host: target.com Cookie: statamic_session=...
If the GraphQL API is enabled without authentication, the same destructive action can be achieved by sending a GraphQL mutation to the public endpoint.
Protection from this CVE:
- Immediate upgrade: Update Statamic to versions 5.73.20 or 6.13.0 or later.
- Disable unauthenticated APIs: Ensure the REST and GraphQL APIs are not enabled without proper authentication.
- Apply strict input validation: Use allow‑lists for query parameters and argument names.
- Enable request logging: Monitor for unusual patterns of parameter names (e.g.,
delete,remove,purge). - Use a Web Application Firewall (WAF): Block requests containing suspicious parameter‑value pairs.
Impact:
- Content loss: Attackers can delete entries, assets, and other content.
- User account deletion: With sufficient permissions, attackers can remove user accounts.
- Data integrity compromise: Unauthorized modifications can lead to data corruption.
- Availability impact: Mass deletions can render the site non‑functional.
- Privilege escalation: Low‑privileged users can perform actions reserved for higher‑privileged roles.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

