PT-2026-24850 · Git+2 · Winter+1
Skyhex19
·
Published
2026-03-11
·
Updated
2026-03-13
·
CVE-2026-27591
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Winter CMS versions prior to 1.0.477
Winter CMS versions prior to 1.1.12
Winter CMS versions prior to 1.2.12
Description
Winter CMS, a content management system based on the Laravel PHP framework, had a flaw that allowed authenticated backend users to increase their access level within the system. This was achieved by sending specifically crafted requests to the backend, modifying the roles and permissions associated with their account. An attacker needed existing access to the backend with any user account to exploit this issue. The issue allows for privilege escalation.
Recommendations
Update to Winter CMS version 1.0.477 or later.
Update to Winter CMS version 1.1.12 or later.
Update to Winter CMS version 1.2.12 or later.
Exploit
Fix
LPE
IDOR
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Winter
Winter/Wn-Backend-Module