EXECUTIVE SUMMARY:
CVE-2026-49287 with a CVSS score of 7.4 is a vulnerability affecting Statamic CMS, specifically impacting versions. This flaw arises because a fix was incomplete, leaving in-memory collection sorting exposed to unsafe method invocation despite protections being present in the query builder. An unauthenticated attacker can exploit this issue over the network by manipulating specific sort parameters without requiring any user interaction or privileges. If exploited, this vulnerability grants the attacker the capability to trigger the destruction of data, leading to the irreversible loss of website content and digital assets. The business impact is significant, characterized by high integrity and availability consequences that disrupt operations and potentially result in permanent data loss. However, successful exploitation is not possible out of the box; it requires a specific prerequisite condition where a front-end template is explicitly configured to pass visitor-controlled request input directly into a tag's sort parameter.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-49287 with a CVSS score of 7.4 is a vulnerability affecting Statamic CMS, specifically impacting versions. This flaw arises because a fix was incomplete, leaving in-memory collection sorting exposed to unsafe method invocation despite protections being present in the query builder. An unauthenticated attacker can exploit this issue over the network by manipulating specific sort parameters without requiring any user interaction or privileges. If exploited, this vulnerability grants the attacker the capability to trigger the destruction of data, leading to the irreversible loss of website content and digital assets. The business impact is significant, characterized by high integrity and availability consequences that disrupt operations and potentially result in permanent data loss. However, successful exploitation is not possible out of the box; it requires a specific prerequisite condition where a front-end template is explicitly configured to pass visitor-controlled request input directly into a tag's sort parameter.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
[/emaillocker]