216.73.217.22

CVE-2026-27591

· Published 11/03/2026 22:16 · Modified 12/03/2026 21:08

Labels: CVE-2026-27591 2026-03-11CVE-2026-27591CWE-284[email protected]

Essential information

Published
11/03/2026 22:16
Modified
12/03/2026 21:08
Author
Creator
CVSS
9.9 CRITICAL (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS metrics

Description

Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any level of access. This vulnerability is fixed in 1.0.477, 1.1.12, and 1.2.12.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
winter / winter cms cpe:2.3:a:winter:winter_cms:<1.0.477:*:*:*:*:*:*:*
winter / winter cms cpe:2.3:a:winter:winter_cms:<1.1.12:*:*:*:*:*:*:*
winter / winter cms cpe:2.3:a:winter:winter_cms:<1.2.12:*:*:*:*:*:*:*

References