CVE-2026-49287 statamic CVE debrief

Who should care

Defenders managing Statamic CMS installations, particularly those with publicly accessible front-end templates, should prioritize patching to limit exposure. This includes developers, system administrators, and security teams responsible for maintaining the CMS. The vulnerability's HIGH severity and potential for content loss make it a critical concern.

Technical summary

CVE-2026-49287 is a vulnerability in Statamic CMS, a Laravel and Git-powered content management system. The issue arises from an incomplete fix for CVE-2026-41175, which was addressed in the query builder but not in in-memory collection sorting. By manipulating sort parameters in a front-end template, an attacker could potentially cause loss of content and assets. This requires a template explicitly set up to sort by a visitor-controlled value, making it not exploitable by default. The vulnerability has been fixed in Statamic CMS versions 5.73.23 and 6.20.0.

Defensive priority

Patching is critical due to HIGH severity and potential for content loss.

Recommended defensive actions

• Apply patches to update Statamic CMS to version 5.73.23 or 6.20.0.
• Review front-end templates for potential vulnerabilities.
• Limit exposure by restricting visitor-controlled input.
• Monitor for suspicious activity related to sort parameters.
• Inventory Statamic CMS installations for prioritization.

Evidence notes

The CVE record (cve.org) and NVD detail (nvd.nist.gov) provide official information on CVE-2026-49287. GitHub security advisories (GHSA-4jjr-vmv7-wh4w and GHSA-m92m-r54r-x8r2) offer additional context on the vulnerability and fix. The vulnerability's HIGH severity and potential impact emphasize the need for prompt patching and review of front-end templates.

Official resources