cbcvebase.
CVE-2026-27591
published 2026-03-11

CVE-2026-27591: Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed…

PriorityP265critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.49%
38.2th percentile
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any level of access. This vulnerability is fixed in 1.0.477, 1.1.12, and 1.2.12.

Affected

8 ranges
VendorProductVersion rangeFixed in
winterwn-backend-module>= 0 < 1.0.4771.0.477
winterwn-backend-module>= 1.1.0 < 1.1.121.1.12
winterwn-backend-module>= 1.2.0 < 1.2.121.2.12
wintercmswinter< 1.0.4771.0.477
wintercmswinter
wintercmswinter
wintercmswinter>= 1.1.0 < 1.1.121.1.12
wintercmswinter>= 1.2.0 < 1.2.121.2.12

Detection & IOCsextracted from sources · hover to see the quote

  • Look for authenticated backend users sending specially crafted requests to modify their own roles or permissions within the Winter CMS backend — this is the core exploitation mechanism.
  • Any authenticated backend user account (regardless of privilege level) is a potential attacker — monitor all backend users for unexpected role/permission changes, not just privileged ones.
  • Audit the affected package 'winter/wn-backend-module' for versions prior to the fixed releases (1.0.477, 1.1.12, 1.2.12) in Composer lock files to identify vulnerable deployments.
  • ·The vulnerability affects Winter CMS versions prior to 1.0.477, 1.1.12, and 1.2.12 — all three branches are affected and each has its own fixed version.
  • ·No public exploit is currently available, reducing immediate mass-exploitation risk, but the EPSS exploitation probability is non-trivial at 0.1% (23.3rd percentile).
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.