{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33177", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T22:16:36.719Z", "datePublished": "2026-03-20T21:41:36.485Z", "dateUpdated": "2026-03-23T16:49:26.359Z"}, "containers": {"cna": {"title": "Statamic is missing authorization check on taxonomy term creation via fieldtype", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g"}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"version": ">= 6.0.0-alpha.1, < 6.7.0", "status": "affected"}, {"version": "< 5.73.14", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T21:41:36.485Z"}, "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. This has been fixed in 5.73.14 and 6.7.0."}], "source": {"advisory": "GHSA-wh3h-gvc4-cc2g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:49:16.425996Z", "id": "CVE-2026-33177", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:49:26.359Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33177", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T16:49:16.425996Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:49:23.148Z"}}], "cna": {"title": "Statamic is missing authorization check on taxonomy term creation via fieldtype", "source": {"advisory": "GHSA-wh3h-gvc4-cc2g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"status": "affected", "version": ">= 6.0.0-alpha.1, < 6.7.0"}, {"status": "affected", "version": "< 5.73.14"}]}], "references": [{"url": "https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g", "name": "https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. This has been fixed in 5.73.14 and 6.7.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T21:41:36.485Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33177", "state": "PUBLISHED", "dateUpdated": "2026-03-23T16:49:26.359Z", "dateReserved": "2026-03-17T22:16:36.719Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T21:41:36.485Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "23CF5975-D5BE-4138-AE2F-95F7BBE00F20", "versionEndExcluding": "5.73.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B99B257-0FC1-4CF9-B006-8AEC17235BC8", "versionEndExcluding": "6.7.0", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. This has been fixed in 5.73.14 and 6.7.0."}], "id": "CVE-2026-33177", "lastModified": "2026-03-23T18:45:27.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T22:16:29.117", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0-alpha.1,6.7.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.73.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "statamic"}, "product": "cms", "vendor": "statamic"}], "analysis": {"en": {"generated_at": "2026-03-23T20:40:15.699291+00:00", "value": {"mitigation_remediation": ["Upgrade Statamic to version 5.73.14 or newer, or 6.7.0 or newer, to receive the resolved authorization checks."], "summary": {"action": "Apply Patch", "impact": "Unauthorized taxonomy term creation by low\u2011privilege Control Panel users"}, "threat_synthesis": {"affected_systems": "The issue affects all Statamic installations running versions earlier than 5.73.14 for the 5.x branch and earlier than 6.7.0 for the 6.x branch. Only the CMS itself is vulnerable; plugins or themes do not add further risk beyond the core CMS behaviour.", "description_and_impact": "Statamic, a Laravel\u2011based content management system, contains a flaw where a field action processing endpoint can be abused to create taxonomy terms without the required authorization checks. This weakness, classified as an authorization bypass (CWE\u2011862), lets users with minimal permissions add new terms by submitting crafted field definitions, potentially altering site content or navigation in ways the user should not be able to control.", "risk_and_exploitability": "The CVSS score of 4.3 indicates medium severity, while the EPSS score of less than 1% suggests only a small portion of attackers are expected to exploit this vulnerability. It is not listed in CISA\u2019s KEV catalog. The vulnerability can be exploited through the Control Panel by submitting a crafted request to the field action endpoint, and thus it requires authenticated access, but only to a low\u2011privilege user account."}}}}, "created": "2026-03-23T09:52:33.083303+00:00", "updated": "2026-03-25T14:34:27.010427+00:00", "vendors": ["statamic", "statamic$PRODUCT$cms"]}