CVE-2026-49287
HighCVSS 7.4Exploitation Probability (EPSS)
Low risk18th percentile - higher than 18% of all known CVEs
Summary
Statamic is a Laravel and Git powered content management system. In versions prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete, potentially leading to loss of content and assets due to manipulation of sort parameters.
Risk Assessment
The organization may lose important content and assets if a front-end template allows sorting by a visitor-controlled value. The risk is limited as it requires a specific template configuration.
Recommendation
It is recommended to upgrade to versions 5.73.23 or 6.20.0 to mitigate this vulnerability. Additionally, review template configurations to ensure they are not susceptible to manipulation.
Original NVD description (English source)
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets. This requires a front-end template that passes request input into a tag's sort parameter. It is not exploitable by default — a template would need to be explicitly set up to sort by a visitor-controlled value. This has been fixed in 5.73.23 and 6.20.0.

