cbcvebase.
CVE-2026-27198
published 2026-02-21

CVE-2026-27198: Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.41%
33.3th percentile
Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.

Affected

3 ranges
VendorProductVersion rangeFixed in
formwork_projectformwork>= 2.0.0 < 2.3.42.3.4
getformworkformwork
getformworkformwork>= 2.0.0 < 2.3.42.3.4

Detection & IOCsextracted from sources · hover to see the quote

  • An authenticated user with the editor role attempting to create a new account with the 'admin' role should be flagged — monitor user account creation events in Formwork CMS for role assignments of 'admin' by non-admin users
  • Monitor Formwork CMS account creation API/endpoints for role parameter values of 'admin' submitted by sessions authenticated as 'editor'-role users

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cisa7.3HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.