Statamic has a path traversal in file dictionary fieldtype
Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary .json, .yaml, and .csv files from the server by manipulating the file dictionary's filename configuration parameter in the fieldtype's endpoint. This has been fixed in 5.73.14 and 6.7.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated Control Panel users can read arbitrary JSON, YAML, and CSV files by manipulating a filename parameter in the Statamic file dictionary fieldtype endpoint.
Vulnerability
A path traversal vulnerability exists in the Statamic CMS file dictionary fieldtype endpoint. Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary .json, .yaml, and .csv files from the server by manipulating the filename configuration parameter [1][3].\. The root cause is insufficient validation of the user-supplied filenames, allowing traversal outside the intended directory.
Exploitation
An attacker must be an authenticated user with access to the Statamic Control Panel. The attack can be carried out locally or remotely, as the web interface exposes this endpoint. The complexity is low: only a crafted filename parameter is needed; no additional privileges or user interaction beyond authentication are required [3\.
Impact
Successful exploitation results in unauthorized read access to arbitrary JSON, YAML, and CSV files on the server filesystem. This could expose sensitive configuration data, credentials, or other confidential information, leading to a breach of confidentiality [3\. Integrity and availability are not directly affected.
Mitigation
The vulnerability has been fixed in Statamic CMS versions 5.73.14 and 6.7.0 [1][2]. Users should update to these patched versions immediately. No workarounds have been publicly documented.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
statamic/cmsPackagist | >= 6.0.0-alpha.1, < 6.7.0 | 6.7.0 |
statamic/cmsPackagist | < 5.73.14 | 5.73.14 |
Affected products
2- statamic/cmsv5Range: >= 6.0.0-alpha.1, < 6.7.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-qm7r-wwq7-6f85ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33171ghsaADVISORY
- github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.