Primary

Context

Statamic CMS Path Traversal Vulnerability Allowing Arbitrary File Read

Vulnerability

Patched

A path traversal vulnerability has been identified in Statamic CMS versions prior to 5.73.14 and 6.7.0. This vulnerability allows authenticated Control Panel users to read arbitrary .json, .yaml, and .csv files from the server. The issue arises from the ability to manipulate the file dictionary's filename configuration parameter in the fieldtype's endpoint.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive data stored in .json, .yaml, and .csv files on the server.

Remediation

Users can upgrade to Statamic CMS versions 5.73.14 or 6.7.0 to address this vulnerability.

Added: Mar 20, 2026, 10:21 PM

Updated: Mar 20, 2026, 10:21 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.2

exploitability

5.4

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.2

exploitability

5.4

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Statamic CMS Path Traversal Vulnerability Allowing Arbitrary File Read

Vulnerability

Impact

Remediation

Affected Products

Statamic

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating