CVE Catalog

CVE-2026-49287

HighCVSS 7.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile - higher than 18% of all known CVEs

Summary

Statamic is a Laravel and Git powered content management system. In versions prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete, potentially leading to loss of content and assets due to manipulation of sort parameters.

Risk Assessment

The organization may lose important content and assets if a front-end template allows sorting by a visitor-controlled value. The risk is limited as it requires a specific template configuration.

Recommendation

It is recommended to upgrade to versions 5.73.23 or 6.20.0 to mitigate this vulnerability. Additionally, review template configurations to ensure they are not susceptible to manipulation.

Original NVD description (English source)

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets. This requires a front-end template that passes request input into a tag's sort parameter. It is not exploitable by default — a template would need to be explicitly set up to sort by a visitor-controlled value. This has been fixed in 5.73.23 and 6.20.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS