PT-2026-26065 · Statamic · Statamic

Spbavarva

Publicado

2026-03-18

Atualizado

2026-03-21

CVE-2026-33171

CVSS v3.1

4.3

Média

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.14 Statamic versions prior to 6.7.0

Description Statamic is a Laravel and Git powered content management system (CMS). Authenticated Control Panel users could read arbitrary .json, .yaml, and .csv files from the server by manipulating the filename configuration parameter in the file dictionary's fieldtype endpoint. The issue occurs through the manipulation of the filename parameter within the API endpoint used by the file dictionary fieldtype.

Recommendations Update to Statamic version 5.73.14 or later. Update to Statamic version 6.7.0 or later.

Exploit

Correção

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-22

Identificadores relacionados

CVE-2026-33171

GHSA-QM7R-WWQ7-6F85

Produtos afetados

Statamic

PT-2026-26065 · Statamic · Statamic

CVE-2026-33171

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 8