Skip to main content

CVE-2026-33171

MEDIUM
Path Traversal (CWE-22)
2026-03-18 https://github.com/statamic/cms GHSA-qm7r-wwq7-6f85
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 18, 2026 - 20:15 vuln.today
CVE Published
Mar 18, 2026 - 20:00 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Impact

Authenticated Control Panel users could read arbitrary .json, .yaml, and .csv files from the server by manipulating the file dictionary's filename configuration parameter in the fieldtype's endpoint.

Patches

This has been fixed in 5.73.14 and 6.7.0.

AnalysisAI

Authenticated Control Panel users can read arbitrary JSON, YAML, and CSV files from the server by manipulating the filename parameter in the fieldtype endpoint, resulting in unauthorized information disclosure. The vulnerability requires valid authentication credentials and affects versions prior to 5.73.14 and 6.7.0. No patch is currently available for affected deployments.

Technical ContextAI

The vulnerability exists in Statamic CMS (pkg:composer/statamic_cms), a PHP-based headless content management system. The flaw resides in the fieldtype endpoint handler that processes the file dictionary's filename configuration parameter without proper input validation or path sanitization. This is a classic instance of CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, also known as Path Traversal). An attacker with valid Control Panel credentials can manipulate the filename parameter to traverse the server's directory structure using path traversal sequences (e.g., ../) to access files outside the intended directory. The vulnerability affects specific file types (JSON, YAML, CSV) that may contain sensitive configuration data, application secrets, or user information.

RemediationAI

Upgrade Statamic CMS to version 5.73.14 or later if running the 5.x branch, or to version 6.7.0 or later if running the 6.x branch. Apply the patch immediately through your package manager (Composer) by running composer require statamic/cms:^5.73.14 or composer require statamic/cms:^6.7.0 depending on your current version. As a temporary workaround pending patching, restrict Control Panel access to trusted IP addresses via firewall rules or reverse proxy configuration, implement least-privilege access controls to limit the number of users with Control Panel credentials, and monitor access logs for suspicious file read patterns. For environments where immediate patching is not feasible, consider disabling the affected fieldtype endpoint until an upgrade can be scheduled. Consult the vendor advisory at https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85 for additional context and implementation guidance.

Share

CVE-2026-33171 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy