CVE-2026-33177 (GCVE-0-2026-33177)

Vulnerability from cvelistv5 – Published: 2026-03-20 21:41 – Updated: 2026-03-23 16:49
VLAI
Title
Statamic is missing authorization check on taxonomy term creation via fieldtype
Summary
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. This has been fixed in 5.73.14 and 6.7.0.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
statamic cms Affected: >= 6.0.0-alpha.1, < 6.7.0
Affected: < 5.73.14
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33177",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-23T16:49:16.425996Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-23T16:49:26.359Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cms",
          "vendor": "statamic",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 6.0.0-alpha.1, \u003c 6.7.0"
            },
            {
              "status": "affected",
              "version": "\u003c 5.73.14"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. This has been fixed in 5.73.14 and 6.7.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T21:41:36.485Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g"
        }
      ],
      "source": {
        "advisory": "GHSA-wh3h-gvc4-cc2g",
        "discovery": "UNKNOWN"
      },
      "title": "Statamic is missing authorization check on taxonomy term creation via fieldtype"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33177",
    "datePublished": "2026-03-20T21:41:36.485Z",
    "dateReserved": "2026-03-17T22:16:36.719Z",
    "dateUpdated": "2026-03-23T16:49:26.359Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33177",
      "date": "2026-07-09",
      "epss": "0.00224",
      "percentile": "0.12912"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33177\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T22:16:29.117\",\"lastModified\":\"2026-06-17T10:37:05.140\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. This has been fixed in 5.73.14 and 6.7.0.\"},{\"lang\":\"es\",\"value\":\"Statamic es un sistema de gesti\u00f3n de contenido (CMS) impulsado por Laravel y Git. Antes de las versiones 5.73.14 y 6.7.0, los usuarios del Panel de Control con bajos privilegios pod\u00edan crear t\u00e9rminos de taxonom\u00eda enviando solicitudes al endpoint de procesamiento de acciones de campo con definiciones de campo controladas por el atacante. Esto elude las comprobaciones de autorizaci\u00f3n aplicadas en el endpoint est\u00e1ndar de creaci\u00f3n de t\u00e9rminos de taxonom\u00eda. Esto ha sido corregido en 5.73.14 y 6.7.0.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"statamic\",\"product\":\"cms\",\"versions\":[{\"version\":\"\u003e= 6.0.0-alpha.1, \u003c 6.7.0\",\"status\":\"affected\"},{\"version\":\"\u003c 5.73.14\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-03-23T16:49:16.425996Z\",\"id\":\"CVE-2026-33177\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.73.14\",\"matchCriteriaId\":\"23CF5975-D5BE-4138-AE2F-95F7BBE00F20\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndExcluding\":\"6.7.0\",\"matchCriteriaId\":\"6B99B257-0FC1-4CF9-B006-8AEC17235BC8\"}]}]}],\"references\":[{\"url\":\"https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "redhat_vex": {
      "current_release_date": "2026-03-27T07:38:51+00:00",
      "cve": "CVE-2026-33177",
      "id": "CVE-2026-33177",
      "initial_release_date": "2026-01-01T00:00:00+00:00",
      "product_status:known_not_affected": "1",
      "source": "Red Hat CSAF VEX",
      "status": "final",
      "title": "Statamic is missing authorization check on taxonomy term creation via fieldtype",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33177.json",
      "version": "3"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33177\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-23T16:49:16.425996Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-23T16:49:23.148Z\"}}], \"cna\": {\"title\": \"Statamic is missing authorization check on taxonomy term creation via fieldtype\", \"source\": {\"advisory\": \"GHSA-wh3h-gvc4-cc2g\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"statamic\", \"product\": \"cms\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 6.0.0-alpha.1, \u003c 6.7.0\"}, {\"status\": \"affected\", \"version\": \"\u003c 5.73.14\"}]}], \"references\": [{\"url\": \"https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g\", \"name\": \"https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. This has been fixed in 5.73.14 and 6.7.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T21:41:36.485Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33177\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-23T16:49:26.359Z\", \"dateReserved\": \"2026-03-17T22:16:36.719Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T21:41:36.485Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…