In-memory Collection Sorting Vulnerability in Statamic CMS from Vendor Statamic
CVE-2026-49287

7.4HIGH

Key Information:

Vendor: Statamic
Status: Cms
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-49287?

Statamic, a popular Laravel and Git powered content management system, has a vulnerability that affects versions 5.73.22 and earlier, as well as 6.19.9 and earlier. The issue arises due to incomplete safeguards from a previously identified vulnerability which leads to potential content loss when manipulating sort parameters. This situation occurs when a front-end template is designed to take certain request inputs and apply them to sort values. End users are advised to upgrade to versions 5.73.23 or 6.20.0 where the issue has been rectified.

Affected Version(s)

cms < 5.73.23 < 5.73.23

cms >= 6.0.0, < 6.20.0 < 6.0.0, 6.20.0

References

https://github.com/statamic/cms/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/statamic/cms/security/advisories/GHSA-...

x_refsource_MISC

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
May 28, 2026

CVE-2026-49287 Data

JSON