SecuriTricks - CVE-2026-49287

Description

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets. This requires a front-end template that passes request input into a tag's sort parameter. It is not exploitable by default — a template would need to be explicitly set up to sort by a visitor-controlled value. This has been fixed in 5.73.23 and 6.20.0.

Product(s) Impacted

Vendor	Product	Versions
Statamic	Statamic	<5.73.23, <6.20.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	statamic	statamic	<5.73.23	/	/	/	/	/	/	/
a	statamic	statamic	<6.20.0	/	/	/	/	/	/	/

References

https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w

https://github.com/statamic/cms/security/advisories/GHSA-m92m-r54r-x8r2

CVSS Score

7.4 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

View Vector String

Timeline

Published: June 19, 2026, 6:16 p.m.
Last Modified: June 19, 2026, 6:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-49287