CVE-2026-33171

MEDIUM4.3EPSS 0.02%

Statamic has a path traversal in file dictionary fieldtype

Published: 3/18/2026Modified: 3/25/2026

Description

### Impact Authenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration parameter in the fieldtype's endpoint. ### Patches This has been fixed in 5.73.14 and 6.7.0.

Affected packages (1)

Packagist/statamic/cms>= 6.0.0-alpha.1, < 6.7.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-33171
PATCHhttps://github.com/statamic/cms
WEBhttps://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85