CVE-2026-49287: Statamic CMS's unsafe method invocation via collection sorting allows data destruction

June 26, 2026

The fix for GHSA-4jjr-vmv7-wh4w was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets.

This requires a front-end template that passes request input into a tag’s sort parameter. It is not exploitable by default — a template would need to be explicitly set up to sort by a visitor-controlled value.

References

github.com/advisories/GHSA-m92m-r54r-x8r2
github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w
github.com/statamic/cms/security/advisories/GHSA-m92m-r54r-x8r2
nvd.nist.gov/vuln/detail/CVE-2026-49287

Code Behaviors & Features

Detect and mitigate CVE-2026-49287 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →