CVE-2026-49287
published 2026-06-19CVE-2026-49287: Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the…
PriorityP342high7.4CVSS 3.1
AVNACHPRNUINSUCNIHAH
EPSS
0.27%
18.5th percentile
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets. This requires a front-end template that passes request input into a tag's sort parameter. It is not exploitable by default — a template would need to be explicitly set up to sort by a visitor-controlled value. This has been fixed in 5.73.23 and 6.20.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| statamic | cms | >= 0 < 5.73.23 | 5.73.23 |
| statamic | cms | >= 6.0.0 < 6.20.0 | 6.20.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Statamic CMS's unsafe method invocation via collection sorting allows data destruction
ghsa·2026-06-26
CVE-2026-49287 [HIGH] CWE-470 Statamic CMS's unsafe method invocation via collection sorting allows data destruction
Statamic CMS's unsafe method invocation via collection sorting allows data destruction
### Impact
The fix for GHSA-4jjr-vmv7-wh4w was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets.
This requires a front-end template that passes request input into a tag's sort parameter. It is not exploitable by default — a template would need to be explicitly set up to sort by a visitor-controlled value.
### Patches
This has been fixed in 5.73.23 and 6.20.0.
VulDB
Statamic CMS up to 5.73.22/6.19.x visitor-controlled externally-controlled input to select classes or code (GHSA-4jjr-vmv7-wh4w)
vuldb·2026-06-19
CVE-2026-49287 [LOW] Statamic CMS up to 5.73.22/6.19.x visitor-controlled externally-controlled input to select classes or code (GHSA-4jjr-vmv7-wh4w)
A vulnerability was found in Statamic CMS up to 5.73.22/6.19.x. It has been classified as problematic. Affected by this issue is some unknown functionality. The manipulation of the argument visitor-controlled leads to use of externally-controlled input to select classes or code.
This vulnerability is documented as CVE-2026-49287. The attack can be initiated remotely. There is not any exploit available.
Upgrading the affected component is recommended.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-19
Published