CVE-2026-49287
Received Received - Intake
Statamic Content Loss via Sort Parameter Manipulation

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: GitHub, Inc.

Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets. This requires a front-end template that passes request input into a tag's sort parameter. It is not exploitable by default β€” a template would need to be explicitly set up to sort by a visitor-controlled value. This has been fixed in 5.73.23 and 6.20.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-49287
EUVD
EUVD-2026-38057
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
statamic cms to 5.73.20 (exc)
statamic cms to 6.13.0 (exc)
statamic cms 5.73.23
statamic cms 6.20.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-470 The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Statamic CMS (CVE-2026-49287) can lead to data destruction, including loss of content and assets, due to unsafe method invocation through collection sorting. This impacts data integrity and availability, which are critical aspects of compliance with standards like GDPR and HIPAA.

Since the vulnerability allows manipulation of data without requiring privileges or user interaction, it poses a risk to maintaining the accuracy and availability of data, potentially violating requirements for data protection and integrity under these regulations.

However, exploitation requires a specific front-end template configuration that explicitly passes visitor-controlled input to sorting parameters, meaning it is not exploitable by default. Organizations using affected versions should apply patches to mitigate risks and maintain compliance.

Executive Summary

The vulnerability CVE-2026-49287 in the Statamic CMS involves unsafe method invocation through collection sorting, which can lead to data destruction.

It occurs because a previous fix for a related vulnerability (CVE-2026-41175) addressed the issue in the query builder but did not apply the same protection to in-memory collection sorting.

An attacker can manipulate sort parameters in a front-end template that passes request input into a tag's sort parameter, causing loss of content and assets.

However, exploitation requires a template explicitly configured to sort by a visitor-controlled value, so it is not exploitable by default.

This vulnerability is classified under CWE-470, which involves the use of externally-controlled input to select classes or code improperly.

Impact Analysis

This vulnerability can lead to the loss of content and assets within the Statamic CMS.

Because it allows unsafe method invocation through manipulated sort parameters, attackers can cause data destruction affecting data integrity and availability.

The CVSS score of 7.4 (High severity) reflects the potential for significant impact without requiring privileges or user interaction.

Detection Guidance

This vulnerability involves manipulation of sort parameters in front-end templates that pass visitor-controlled input into a tag's sort parameter. Detection would require identifying templates explicitly configured to sort by user-controlled values.

There are no specific commands or network detection methods provided in the available information to detect exploitation attempts or presence of this vulnerability.

Mitigation Strategies

The vulnerability has been fixed in Statamic CMS versions 5.73.23 and 6.20.0. Immediate mitigation involves upgrading your Statamic CMS installation to at least these versions.

Additionally, review your front-end templates to ensure they do not pass visitor-controlled input into sort parameters, as exploitation requires such explicit template configuration.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49287. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart