CVE-2026-33177

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. This has been fixed in 5.73.14 and 6.7.0.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*

History

17 Jun 2026, 10:37

Type Values Removed Values Added
Summary
  • (es) Statamic es un sistema de gestión de contenido (CMS) impulsado por Laravel y Git. Antes de las versiones 5.73.14 y 6.7.0, los usuarios del Panel de Control con bajos privilegios podían crear términos de taxonomía enviando solicitudes al endpoint de procesamiento de acciones de campo con definiciones de campo controladas por el atacante. Esto elude las comprobaciones de autorización aplicadas en el endpoint estándar de creación de términos de taxonomía. Esto ha sido corregido en 5.73.14 y 6.7.0.

23 Mar 2026, 18:45

Type Values Removed Values Added
First Time Statamic statamic
Statamic
References () https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g - () https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g - Vendor Advisory
CPE cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*

20 Mar 2026, 22:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-03-20 22:16

Updated : 2026-06-17 10:37


NVD link : CVE-2026-33177

Mitre link : CVE-2026-33177

CVE.ORG link : CVE-2026-33177


JSON object : View

Products Affected

statamic

  • statamic
CWE
CWE-862

Missing Authorization