Skip to main content

Statamic CMS CVE-2026-49287

| EUVDEUVD-2026-38057 HIGH
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE-470)
2026-06-19 GitHub_M GHSA-m92m-r54r-x8r2
7.4
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
7.4 HIGH

Network-reachable via HTTP without auth or interaction (AV:N/PR:N/UI:N); AC:H because exploitation depends on a non-default template wiring request input into a sort parameter; no confidentiality impact, integrity and availability high due to content/asset destruction.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 19, 2026 - 19:02 EUVD
Source Code Evidence Fetched
Jun 19, 2026 - 18:17 vuln.today
Analysis Generated
Jun 19, 2026 - 18:17 vuln.today

DescriptionCVE.org

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets. This requires a front-end template that passes request input into a tag's sort parameter. It is not exploitable by default - a template would need to be explicitly set up to sort by a visitor-controlled value. This has been fixed in 5.73.23 and 6.20.0.

AnalysisAI

Integrity and availability loss in Statamic CMS versions prior to 5.73.23 and 6.20.0 allows remote attackers to destroy content and assets by manipulating sort parameters that flow into in-memory collection sorting. This is an incomplete-fix follow-up to CVE-2026-41175 (CWE-470, unsafe reflection / method invocation), where the original patch covered the query builder but not the in-memory sort path. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Statamic site with user-sortable listing
Delivery
Send GET with crafted sort query parameter
Exploit
Value resolved into unsafe method call on in-memory Collection
Execution
Destructive method executes on entries or assets
Impact
Content and assets deleted

Vulnerability AssessmentAI

Exploitation Requires a front-end Antlers/Blade template that explicitly passes a request-controlled value (query string, form input, or route parameter) into a Statamic tag's sort parameter against an affected version (<5.73.23 or 6.x <6.20.0); default Statamic templates do not do this, and the vendor explicitly states it is not exploitable by default. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 7.4 (AV:N/AC:H/PR:N/UI:N/C:N/I:H/A:H) accurately captures a network-reachable, unauthenticated integrity/availability attack, but AC:H reflects the real-world gate: a developer must have wired request input into a tag's sort parameter, which Statamic explicitly says is not the default. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated visitor browsing a public Statamic site whose template renders entries with a sort parameter populated from a query string (e.g. ?sort=title) substitutes a crafted value that resolves to a destructive method on the in-memory collection, causing entries or assets to be removed. …
Remediation Vendor-released patch: upgrade to Statamic 5.73.23 (5.x branch) or 6.20.0 (6.x branch) via Composer (composer update statamic/cms), per the GitHub Security Advisories at https://github.com/statamic/cms/security/advisories/GHSA-m92m-r54r-x8r2 and https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Statamic instances in production, determine which versions are deployed, and assess which templates accept visitor input for sort operations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Cms

View all
CVE-2020-7357 CRITICAL POC
9.9 Aug 06

Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. Rated c

CVE-2012-4405 MEDIUM
6.8 Sep 18

Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (iccl

CVE-2021-47753 CRITICAL POC
9.8 Jan 15

phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. Po

CVE-2019-9874 CRITICAL POC
9.8 May 31

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 an

CVE-2019-9875 HIGH POC
8.8 May 31

Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to ex

CVE-2012-5894 HIGH POC
7.5 Nov 17

SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitr

CVE-2012-5893 MEDIUM POC
6.8 Nov 17

Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to e

CVE-2015-2083 MEDIUM POC
6.8 Feb 25

Cross-site request forgery (CSRF) vulnerability in Ilch CMS allows remote attackers to hijack the authentication of admi

CVE-2012-5919 MEDIUM POC
4.3 Nov 19

Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbit

CVE-2025-5429 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

CVE-2025-5428 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

CVE-2025-5427 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

Share

CVE-2026-49287 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy