Description

Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any level of access. This vulnerability is fixed in 1.0.477, 1.1.12, and 1.2.12.

INFO

Published Date :

2026-03-11T21:25:35.289Z

Last Modified :

2026-03-12T14:23:06.447Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27591 vulnerability.

Vendors Products
Wintercms
  • Winter
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27591.

URL Resource
https://github.com/wintercms/winter/security/advisories/GHSA-pgpf-m8m4-6cg6 cve-icon cve-icon
https://wintercms.com/releases/v1.0.477 cve-icon cve-icon
https://wintercms.com/releases/v1.1.12 cve-icon cve-icon
https://wintercms.com/releases/v1.2.12 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact