Threat Advisory

Statamic CMS Flaws Leading to Unpermitted Actions and Record Changes

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High


EXECUTIVE SUMMARY:

A set of three impacting the Statamic CMS ecosystem and stem from improper authorization and input validation mechanisms, allowing attackers to manipulate application behavior through crafted requests. These flaws primarily enable unauthorized actions such as taxonomy manipulation and potential data tampering without sufficient access controls. Exploitation does not typically require high privileges, increasing the risk in publicly exposed or misconfigured deployments. Collectively, these issues highlight weaknesses in access control enforcement and input handling within CMS components, which could be leveraged to compromise content integrity and application logic.

  • CVE‑2026‑33177: It is a Missing authorization checks in Statamic CMS allow attackers to create or manipulate taxonomy terms without proper permissions. This could lead to unauthorized content modification and potential abuse of CMS functionalities. The vulnerability has a CVSS score of 4.3.
  • CVE-2026-33171: It is a path traversal flaw in Statamic file dictionary fieldtype allowed authenticated Control Panel users to read arbitrary .json, .yaml, and .csv files by manipulating the filename parameter. The vulnerability has a CVSS score of 4.3. 
  • CVE-2026-33172: It is a Stored cross‑site scripting (XSS) via an SVG sanitization bypass occurred when authenticated users with asset upload permissions could upload SVG files that executed JavaScript in viewers browsers due to inadequate sanitization. The vulnerability has a CVSS score of 8.7.

 

RECOMMENDATION:

  • We strongly recommend you update Statamic CMS to version 5.73.15 or 6.7.1 or later.

 

REFERENCES:

The following reports contain further technical details:

https://github.com/advisories/GHSA-wh3h-gvc4-cc2g
https://github.com/advisories/GHSA-qm7r-wwq7-6f85
https://github.com/advisories/GHSA-7rcv-55mj-chg7

crossmenu