Sneh Bavarva

CVE-2026-33171: Path Traversal in Statamic CMS

March 18, 2026☕︎ 5 min read
CVE-2026-33171

CVE-2026-33171

Everyone’s Using AI. I Used It to create the Autonomous CVE hunting pipeline.

Technically everyone is using AI right now. In all of the best possible ways and I was thinking what if I can make the whole autonomous system for finding the bugs in popular repo? People have made a lot of red teaming tools and bug bounty AI, but I am making one specifically for static analysis to find vulnerabilities.

And to make this even better, I got huge inspiration from Anuraag and his methodology. Then I thought that I should make this whole process autonomous with finding repo, doing scans, giving small verdict and taking action on it to reduce false positive, and finally human interaction just needed for a couple of times in the whole process and you get the statically verified PoC? (I am actually developing this and hoping that with my setup I can find at least 2 weekly legit security vulnerabilities. It will be fully autonomous and tested thoroughly. More on this by end of the month when it will be complete)

But for now, it works. CVE-2026-33171 . Let me tell you how.

Just to make it obvious: I don’t write blogs with AI

Picking the Target

I wanted something real. I wanted a project that people actually use in production.

So I went to trendshift and choosen Best Flat CMS of 2026: Statamic — a Laravel-based CMS with around ~5000 stars, active development, proper security processes, and used by agencies and businesses worldwide. PERFECT. If I find something here, it matters.

The Setup

6 phase approach

6 phase approach

“prompting is the research.”

I spent two to three days just setting up the workflow before I run it extensively. I’m talking about:

  • Writing custom instructions that tell Claude exactly how to approach a codebase — what to ignore, what to prioritize (routes, controllers, auth middleware, dangerous sinks)
  • Building a phased workflow: recon → architecture mapping → git history analysis → attack surface identification → deep source-to-sink tracing
  • Teaching it to check git diffs for incomplete security fixes — because where there’s one patch, there’s usually a cousin bug nearby
  • Setting confidence scoring so it doesn’t waste my time with “this might be an issue if the moon is full and the server is running on a Tuesday”

The whole philosophy: depth over breadth. One fully traced, exploitable vulnerability, That’s it. Which will be same motive for my complete Autonomous pipeline.

How It Actually Found the Bug

Once the workflow was done, I pointed it at Statamic’s codebase and let it run through the phases.

It mapped the architecture. It read the route definitions. It traced how user input flows from HTTP requests into the application. And then it flagged something.

Workflow result

Workflow result

And I got:

  • The exact source
  • The exact sink
  • What sanitization was missing between the two
  • A confidence score

I pulled down Statamic v6.6.3, deployed it locally, and built a manual proof of concept. The path traversal was real. An attacker could read files they weren’t supposed to access.

The Report and Response

I reported it to the Statamic security team. Confirmed the vulnerability, and the fix was merged in PR #14272 on the same day.

A GitHub Security Advisory was published, and it was assigned CVE-2026-33171 — classified as moderate severity.

My name’s on it as the reporter. First CVE with this simple workflow.

The Bigger Picture

That Statamic finding wasn’t a one-off. In the past week, I’ve reported around ten vulnerabilities across different open-source projects using this same workflow. Four have gotten responses so far. One resulted in the CVE I just told you about. I’m fairly confident two or three more will land. It depends on whether the maintainers accept the risk or decide to patch.

Some of the findings are moderate. Some are genuinely nasty. But the point is: the AI doesn’t get tired, it doesn’t skip files, and it follows data flows with zero ego. It does the boring, methodical tracing that we can miss with big projects.

The Actual Thing

AI doesn’t find vulnerabilities. You do. The AI is the engine. You’re the driver. If you give it garbage instructions, it gives you garbage findings. If you spend the time building a real methodology — phased analysis, git history context, source-to-sink tracing, confidence scoring — it becomes genuinely dangerous (in the best way).

Yes, AI hallucinates. Yes, it can flag things that aren’t real. That’s why you verify manually. Every single finding I report has a hand-built PoC on a local deployment. The AI narrows the haystack. I confirm the needle exists.

Timeline

  • March 15, 2026: Started AI-assisted workflow on the Statamic CMS repository using Claude Code.
  • March 16, 2026: Built PoC for the path traversal (LFI) finding. Confirmed exploitability. Reported two vulnerabilities to the Statamic security team.
  • March 17, 2026: Maintainers responded and acknowledged one of the two findings (LFI).
  • March 17, 2026: Fix merged in PR #14272. GitHub Security Advisory created and CVE-2026-33171 assigned.

From first scan to CVE assignment, 2 days. Really appriciate the quick response and fix from Statamic team.

·   ·   ·

Thank you everyone for reading this. I could have talk more about technical aspects of this bug but I choose to make it about the process.

And about the autonomous pipeline I am making on, let me know if you want to discuss about it or have any ideas about. It’s in the building phase and I belive it will get me worth of my long spend nights and days for this. (And hopefully land a job eventually, haha). Until then

TO THE MOON!! 🚀🚀