HIGH 7.4

GHSA-m92m-r54r-x8r2

Statamic CMS's unsafe method invocation via collection sorting allows data destruction

Details

### Impact

The fix for GHSA-4jjr-vmv7-wh4w was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets.

This requires a front-end template that passes request input into a tag's sort parameter. It is not exploitable by default — a template would need to be explicitly set up to sort by a visitor-controlled value.

### Patches

This has been fixed in 5.73.23 and 6.20.0.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / statamic/cms

Introduced in: 0 Fixed in: 5.73.23

Fix composer require statamic/cms:^5.73.23

Packagist / statamic/cms

Introduced in: 6.0.0 Fixed in: 6.20.0

Fix composer require statamic/cms:^6.20.0

References

https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w [WEB]
https://github.com/statamic/cms/security/advisories/GHSA-m92m-r54r-x8r2 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-49287 [ADVISORY]
https://github.com/statamic/cms [PACKAGE]