CVE-2026-49287

Statamic CMS vulnerable to unsafe method invocation via collection sorting allows data destruction

Assigner: GitHub_M
Reserved: 28.05.2026 Published: 19.06.2026 Updated: 19.06.2026

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets. This requires a front-end template that passes request input into a tag's sort parameter. It is not exploitable by default — a template would need to be explicitly set up to sort by a visitor-controlled value. This has been fixed in 5.73.23 and 6.20.0.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
CVSS Score: 7.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	statamic
Product	cms
Versions	Version < 5.73.23 is affected Version >= 6.0.0, < 6.20.0 is affected

Vendor

statamic

Product

cms

Versions

Version < 5.73.23 is affected
Version >= 6.0.0, < 6.20.0 is affected

References

Problem Types

CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE

CVE-2026-49287 PUBLISHED

Statamic CMS vulnerable to unsafe method invocation via collection sorting allows data destruction

Metrics

Product Status

References

Problem Types