Statamic CMS's unsafe method invocation via collection sorting allows data destruction
Package
Affected versions
< 5.73.23
>= 6.0.0, < 6.20.0
Patched versions
5.73.23
6.20.0
Description
Published by the National Vulnerability Database
Jun 19, 2026
Published to the GitHub Advisory Database
Jun 26, 2026
Reviewed
Jun 26, 2026
Last updated
Jun 26, 2026
Impact
The fix for GHSA-4jjr-vmv7-wh4w was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets.
This requires a front-end template that passes request input into a tag's sort parameter. It is not exploitable by default — a template would need to be explicitly set up to sort by a visitor-controlled value.
Patches
This has been fixed in 5.73.23 and 6.20.0.
References