PT-2026-26205 · Statamic · Statamic

Everythingblackkk

Published

2026-03-18

Updated

2026-03-21

CVE-2026-33177

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.14 Statamic versions prior to 6.7.0

Description Low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. The vulnerable endpoint is /cp/field/action. The issue involves manipulating field definitions to bypass authorization controls.

Recommendations Update to Statamic version 5.73.14 or later. Update to Statamic version 6.7.0 or later.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-33177

GHSA-WH3H-GVC4-CC2G

Affected Products

Statamic

PT-2026-26205 · Statamic · Statamic

CVE-2026-33177

Weakness Enumeration

Related Identifiers

Affected Products

References · 8