CVE-2026-33171

MEDIUM4.3EPSS 0.02%

Statamic has a path traversal in file dictionary fieldtype

發布日:2026/3/18修改日:2026/3/25

描述

### Impact Authenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration parameter in the fieldtype's endpoint. ### Patches This has been fixed in 5.73.14 and 6.7.0.

受影響套件(1)

Packagist/statamic/cms>= 6.0.0-alpha.1, < 6.7.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-33171
PATCHhttps://github.com/statamic/cms
WEBhttps://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85