CVE-2026-33177

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. This has been fixed in 5.73.14 and 6.7.0.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:statamic:statamic::::::::
	cpe:2.3:a:statamic:statamic::::::::

History

No history.

Information

Published : 2026-03-20 22:16

Updated : 2026-03-23 18:45

NVD link : CVE-2026-33177

Mitre link : CVE-2026-33177

CVE.ORG link : CVE-2026-33177

JSON object : View

Products Affected

statamic

statamic

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-33177", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-03-20T22:16:29.117", "references": [{"url": "https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. This has been fixed in 5.73.14 and 6.7.0."}, {"lang": "es", "value": "Statamic es un sistema de gesti\u00f3n de contenido (CMS) impulsado por Laravel y Git. Antes de las versiones 5.73.14 y 6.7.0, los usuarios del Panel de Control con bajos privilegios pod\u00edan crear t\u00e9rminos de taxonom\u00eda enviando solicitudes al endpoint de procesamiento de acciones de campo con definiciones de campo controladas por el atacante. Esto elude las comprobaciones de autorizaci\u00f3n aplicadas en el endpoint est\u00e1ndar de creaci\u00f3n de t\u00e9rminos de taxonom\u00eda. Esto ha sido corregido en 5.73.14 y 6.7.0."}], "lastModified": "2026-03-23T18:45:27.150", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "23CF5975-D5BE-4138-AE2F-95F7BBE00F20", "versionEndExcluding": "5.73.14"}, {"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B99B257-0FC1-4CF9-B006-8AEC17235BC8", "versionEndExcluding": "6.7.0", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}