Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets. This requires a front-end template that passes request input into a tag's sort parameter. It is not exploitable by default — a template would need to be explicitly set up to sort by a visitor-controlled value. This has been fixed in 5.73.23 and 6.20.0.
Published: 2026-06-19
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Statamic CMS was found to allow unsafe method invocation during in‑memory collection sorting when the sort parameter comes from request input. The flaw, classified as CWE-470, permits attackers to manipulate sorting logic and trigger the deletion or loss of stored content and assets. The impact is the compromise of data integrity and availability, resulting in loss of published material and associated media.

Affected Systems

The vulnerability affects Statamic CMS versions prior to 5.73.23 and 6.20.0. Users running these releases are susceptible when a front‑end template passes visitor‑controlled values directly to a tag's sort parameter.

Risk and Exploitability

The CVSS score of 7.4 indicates a high severity. EPSS data is unavailable, and the issue is not listed in CISA's KEV catalog. Exploitation requires a template explicitly configured to sort by a user‑controlled value, meaning the vulnerability is not exploitable out of the box but could be leveraged if the template author inadvertently introduces the flaw. Attackers would manipulate the sort parameter to trigger unsafe method calls that can wipe or corrupt data.

Generated by OpenCVE AI on June 19, 2026 at 21:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Statamic CMS to version 5.73.23 or 6.20.0 where the unsafe method invocation is fixed.
  • Audit all front‑end templates for tags that use dynamic sort parameters and either remove the user input or sanitize it to an approved set of values.
  • If dynamic sorting is required, implement a server‑side whitelist that only accepts trusted sort fields and reject all other inputs.

Generated by OpenCVE AI on June 19, 2026 at 21:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Statamic
Statamic cms
Vendors & Products Statamic
Statamic cms

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets. This requires a front-end template that passes request input into a tag's sort parameter. It is not exploitable by default — a template would need to be explicitly set up to sort by a visitor-controlled value. This has been fixed in 5.73.23 and 6.20.0.
Title Statamic CMS vulnerable to unsafe method invocation via collection sorting allows data destruction
Weaknesses CWE-470
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Statamic Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-19T17:36:23.536Z

Reserved: 2026-05-28T20:07:58.862Z

Link: CVE-2026-49287

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:30:17Z

Weaknesses
  • CWE-470

    Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')