{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33171", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T22:16:36.718Z", "datePublished": "2026-03-20T21:39:40.048Z", "dateUpdated": "2026-03-23T21:41:51.358Z"}, "containers": {"cna": {"title": "Statamic has a path traversal in file dictionary fieldtype", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85"}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"version": ">= 6.0.0-alpha.1, < 6.7.0", "status": "affected"}, {"version": "< 5.73.14", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T21:39:40.048Z"}, "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration parameter in the fieldtype's endpoint. This has been fixed in 5.73.14 and 6.7.0."}], "source": {"advisory": "GHSA-qm7r-wwq7-6f85", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T20:52:53.542346Z", "id": "CVE-2026-33171", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T21:41:51.358Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33171", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T20:52:53.542346Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T21:31:38.654Z"}}], "cna": {"title": "Statamic has a path traversal in file dictionary fieldtype", "source": {"advisory": "GHSA-qm7r-wwq7-6f85", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"status": "affected", "version": ">= 6.0.0-alpha.1, < 6.7.0"}, {"status": "affected", "version": "< 5.73.14"}]}], "references": [{"url": "https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85", "name": "https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration parameter in the fieldtype's endpoint. This has been fixed in 5.73.14 and 6.7.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T21:39:40.048Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33171", "state": "PUBLISHED", "dateUpdated": "2026-03-23T21:41:51.358Z", "dateReserved": "2026-03-17T22:16:36.718Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T21:39:40.048Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "23CF5975-D5BE-4138-AE2F-95F7BBE00F20", "versionEndExcluding": "5.73.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B99B257-0FC1-4CF9-B006-8AEC17235BC8", "versionEndExcluding": "6.7.0", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration parameter in the fieldtype's endpoint. This has been fixed in 5.73.14 and 6.7.0."}], "id": "CVE-2026-33171", "lastModified": "2026-03-23T18:46:31.100", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T22:16:28.820", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0-alpha.1,6.7.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.73.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "statamic"}, "product": "cms", "vendor": "statamic"}], "analysis": {"en": {"generated_at": "2026-03-23T21:35:37.878226+00:00", "value": {"mitigation_remediation": ["Check the current Statamic CMS version to determine if it is below 5.73.14 or 6.7.0.", "Upgrade the CMS to the latest patched release (5.73.14 or newer, 6.7.0 or newer) and verify that the file dictionary fieldtype no longer accepts arbitrary filenames.", "Restart the application and monitor logs for any attempts to access prohibited files; apply additional access controls if necessary."], "summary": {"action": "Patch Now", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The issue affects Statamic CMS versions earlier than 5.73.14 and 6.7.0. The affected component is the file dictionary fieldtype within the Control Panel. Administrators running these versions should be aware that any authenticated user can trigger the flaw.", "description_and_impact": "A path traversal flaw in the Statamic file dictionary fieldtype enables an authenticated Control Panel user to manipulate the filename configuration parameter and read arbitrary .json, .yaml, or .csv files on the server. This vulnerability, classified as CWE-22, results in unauthorized disclosure of sensitive data such as configuration settings or credentials, compromising confidentiality without affecting integrity or availability.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the EPSS score is below 1%, meaning exploitation is unlikely in the current threat landscape. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector requires an authenticated Control Panel user to submit a crafted filename to the affected endpoint; the flaw permits read\u2011only access, making confidentiality the primary concern."}}}}, "created": "2026-03-23T09:52:34.806950+00:00", "updated": "2026-03-25T14:34:28.891715+00:00", "vendors": ["statamic", "statamic$PRODUCT$cms"]}