PT-2026-26205 · Statamic · Statamic

Everythingblackkk

Publicado

2026-03-18

Atualizado

2026-03-21

CVE-2026-33177

CVSS v3.1

4.3

Média

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.14 Statamic versions prior to 6.7.0

Description Low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. The vulnerable endpoint is /cp/field/action. The issue involves manipulating field definitions to bypass authorization controls.

Recommendations Update to Statamic version 5.73.14 or later. Update to Statamic version 6.7.0 or later.

Exploit

Correção

Missing Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-862

Identificadores relacionados

CVE-2026-33177

GHSA-WH3H-GVC4-CC2G

Produtos afetados

Statamic

PT-2026-26205 · Statamic · Statamic

CVE-2026-33177

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 8