CVE-2026-49287
Statamic CMS vulnerable to unsafe method invocation via collection sorting allows data destruction
CVSS Score
7.4
EPSS Score
0.0%
EPSS Percentile
0th
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets. This requires a front-end template that passes request input into a tag's sort parameter. It is not exploitable by default โ a template would need to be explicitly set up to sort by a visitor-controlled value. This has been fixed in 5.73.23 and 6.20.0.
| CWE | CWE-470 |
| Vendor | statamic |
| Product | cms |
| Published | Jun 19, 2026 |
Stay Ahead of the Next One
Get instant alerts for statamic cms
Be the first to know when new high vulnerabilities affecting statamic cms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
Affected Versions
statamic / cms
< 5.73.23 >= 6.0.0, < 6.20.0