{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27591", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T17:40:28.451Z", "datePublished": "2026-03-11T21:25:35.289Z", "dateUpdated": "2026-03-12T14:23:06.447Z"}, "containers": {"cna": {"title": "Winter: Privilege escalation by authenticated backend users", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-915", "lang": "en", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/wintercms/winter/security/advisories/GHSA-pgpf-m8m4-6cg6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wintercms/winter/security/advisories/GHSA-pgpf-m8m4-6cg6"}, {"name": "https://wintercms.com/releases/v1.0.477", "tags": ["x_refsource_MISC"], "url": "https://wintercms.com/releases/v1.0.477"}, {"name": "https://wintercms.com/releases/v1.1.12", "tags": ["x_refsource_MISC"], "url": "https://wintercms.com/releases/v1.1.12"}, {"name": "https://wintercms.com/releases/v1.2.12", "tags": ["x_refsource_MISC"], "url": "https://wintercms.com/releases/v1.2.12"}], "affected": [{"vendor": "wintercms", "product": "winter", "versions": [{"version": ">= 1.2.0, < 1.2.12", "status": "affected"}, {"version": ">= 1.1.0, < 1.1.12", "status": "affected"}, {"version": "< 1.0.477", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T21:25:35.289Z"}, "descriptions": [{"lang": "en", "value": "Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any level of access. This vulnerability is fixed in 1.0.477, 1.1.12, and 1.2.12."}], "source": {"advisory": "GHSA-pgpf-m8m4-6cg6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T14:22:14.030785Z", "id": "CVE-2026-27591", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:23:06.447Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27591", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T14:22:14.030785Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:23:02.378Z"}}], "cna": {"title": "Winter: Privilege escalation by authenticated backend users", "source": {"advisory": "GHSA-pgpf-m8m4-6cg6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "wintercms", "product": "winter", "versions": [{"status": "affected", "version": ">= 1.2.0, < 1.2.12"}, {"status": "affected", "version": ">= 1.1.0, < 1.1.12"}, {"status": "affected", "version": "< 1.0.477"}]}], "references": [{"url": "https://github.com/wintercms/winter/security/advisories/GHSA-pgpf-m8m4-6cg6", "name": "https://github.com/wintercms/winter/security/advisories/GHSA-pgpf-m8m4-6cg6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://wintercms.com/releases/v1.0.477", "name": "https://wintercms.com/releases/v1.0.477", "tags": ["x_refsource_MISC"]}, {"url": "https://wintercms.com/releases/v1.1.12", "name": "https://wintercms.com/releases/v1.1.12", "tags": ["x_refsource_MISC"]}, {"url": "https://wintercms.com/releases/v1.2.12", "name": "https://wintercms.com/releases/v1.2.12", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any level of access. This vulnerability is fixed in 1.0.477, 1.1.12, and 1.2.12."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-915", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T21:25:35.289Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27591", "state": "PUBLISHED", "dateUpdated": "2026-03-12T14:23:06.447Z", "dateReserved": "2026-02-20T17:40:28.451Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T21:25:35.289Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*", "matchCriteriaId": "A170C0BF-F88A-484A-A4A4-D87E966EF818", "versionEndExcluding": "1.0.477", "vulnerable": true}, {"criteria": "cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*", "matchCriteriaId": "62491B0E-F94A-4832-B005-BE7F30B61FD4", "versionEndExcluding": "1.1.12", "versionStartIncluding": "1.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5E7A265-618D-4020-A8D9-263759E5EDFA", "versionEndExcluding": "1.2.12", "versionStartIncluding": "1.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any level of access. This vulnerability is fixed in 1.0.477, 1.1.12, and 1.2.12."}, {"lang": "es", "value": "Winter es un sistema de gesti\u00f3n de contenido (CMS) gratuito y de c\u00f3digo abierto basado en el framework PHP Laravel. Antes de las versiones 1.0.477, 1.1.12 y 1.2.12, Winter CMS permit\u00eda a los usuarios autenticados del backend escalar el nivel de acceso de sus cuentas al sistema modificando los roles / permisos asignados a su cuenta a trav\u00e9s de solicitudes especialmente dise\u00f1adas al backend mientras estaban conectados. Para explotar activamente este problema de seguridad, un atacante necesitar\u00eda acceso al Backend con una cuenta de usuario con cualquier nivel de acceso. Esta vulnerabilidad est\u00e1 corregida en las versiones 1.0.477, 1.1.12 y 1.2.12."}], "id": "CVE-2026-27591", "lastModified": "2026-03-19T17:37:17.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T22:16:32.290", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/wintercms/winter/security/advisories/GHSA-pgpf-m8m4-6cg6"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://wintercms.com/releases/v1.0.477"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://wintercms.com/releases/v1.1.12"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://wintercms.com/releases/v1.2.12"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-639"}, {"lang": "en", "value": "CWE-915"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.2.0,1.2.12)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.1.0,1.1.12)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.477)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "winter", "source": "cna", "vendor": "wintercms"}, "product": "winter", "vendor": "wintercms"}], "analysis": {"en": {"generated_at": "2026-03-19T18:52:57.981083+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading Winter CMS to version 1.0.477, 1.1.12, or 1.2.12 (depending on your release).", "Verify that the upgraded version is running and that role-permission modifications are no longer possible through crafted requests."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "All releases of Winter CMS older than 1.0.477, version 1.1.12, and version 1.2.12 are affected. The vulnerability is specific to the Winter product from the wintercms vendor.", "description_and_impact": "Winter CMS allows authenticated backend users to modify the roles and permissions assigned to their account through specially crafted requests while logged in. This flaw enables a user to raise their own level of access within the CMS, effectively granting higher privileges than originally granted.", "risk_and_exploitability": "The CVSS score is 10, indicating critical severity. The EPSS score is under 1%, suggesting a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated backend session and the ability to send crafted requests; a successful exploit would allow the attacker to alter role assignments and elevate privileges."}}}}, "created": "2026-03-12T09:55:48.774405+00:00", "updated": "2026-03-20T15:36:57.681243+00:00", "vendors": ["wintercms", "wintercms$PRODUCT$winter"]}