Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Network-reachable via HTTP without auth or interaction (AV:N/PR:N/UI:N); AC:H because exploitation depends on a non-default template wiring request input into a sort parameter; no confidentiality impact, integrity and availability high due to content/asset destruction.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets. This requires a front-end template that passes request input into a tag's sort parameter. It is not exploitable by default - a template would need to be explicitly set up to sort by a visitor-controlled value. This has been fixed in 5.73.23 and 6.20.0.
AnalysisAI
Integrity and availability loss in Statamic CMS versions prior to 5.73.23 and 6.20.0 allows remote attackers to destroy content and assets by manipulating sort parameters that flow into in-memory collection sorting. This is an incomplete-fix follow-up to CVE-2026-41175 (CWE-470, unsafe reflection / method invocation), where the original patch covered the query builder but not the in-memory sort path. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a front-end Antlers/Blade template that explicitly passes a request-controlled value (query string, form input, or route parameter) into a Statamic tag's sort parameter against an affected version (<5.73.23 or 6.x <6.20.0); default Statamic templates do not do this, and the vendor explicitly states it is not exploitable by default. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 7.4 (AV:N/AC:H/PR:N/UI:N/C:N/I:H/A:H) accurately captures a network-reachable, unauthenticated integrity/availability attack, but AC:H reflects the real-world gate: a developer must have wired request input into a tag's sort parameter, which Statamic explicitly says is not the default. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated visitor browsing a public Statamic site whose template renders entries with a sort parameter populated from a query string (e.g. ?sort=title) substitutes a crafted value that resolves to a destructive method on the in-memory collection, causing entries or assets to be removed. … |
| Remediation | Vendor-released patch: upgrade to Statamic 5.73.23 (5.x branch) or 6.20.0 (6.x branch) via Composer (composer update statamic/cms), per the GitHub Security Advisories at https://github.com/statamic/cms/security/advisories/GHSA-m92m-r54r-x8r2 and https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Statamic instances in production, determine which versions are deployed, and assess which templates accept visitor input for sort operations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. Rated c
Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (iccl
phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. Po
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 an
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to ex
SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitr
Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to e
Cross-site request forgery (CSRF) vulnerability in Ilch CMS allows remote attackers to hijack the authentication of admi
Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbit
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38057
GHSA-m92m-r54r-x8r2