CVE-2026-33177
MEDIUM4.3EPSS 0.01%Statamic is missing authorization check on taxonomy term creation via fieldtype
發布日:2026/3/18修改日:2026/3/25
描述
### Impact Low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. ### Patches This has been fixed in 5.73.14 and 6.7.0.
受影響套件(1)
- Packagist/statamic/cms>= 6.0.0-alpha.1, < 6.7.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |