CVE-2026-33171: Statamic has a path traversal in file dictionary fieldtype

March 18, 2026 (updated March 25, 2026)

Authenticated Control Panel users could read arbitrary .json, .yaml, and .csv files from the server by manipulating the file dictionary’s filename configuration parameter in the fieldtype’s endpoint.

References

github.com/advisories/GHSA-qm7r-wwq7-6f85
github.com/statamic/cms
github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85
nvd.nist.gov/vuln/detail/CVE-2026-33171

Code Behaviors & Features

Detect and mitigate CVE-2026-33171 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →