CVE-2026-27591
published 2026-03-11CVE-2026-27591: Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed…
PriorityP265critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.49%
38.2th percentile
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any level of access. This vulnerability is fixed in 1.0.477, 1.1.12, and 1.2.12.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| winter | wn-backend-module | >= 0 < 1.0.477 | 1.0.477 |
| winter | wn-backend-module | >= 1.1.0 < 1.1.12 | 1.1.12 |
| winter | wn-backend-module | >= 1.2.0 < 1.2.12 | 1.2.12 |
| wintercms | winter | < 1.0.477 | 1.0.477 |
| wintercms | winter | — | — |
| wintercms | winter | — | — |
| wintercms | winter | >= 1.1.0 < 1.1.12 | 1.1.12 |
| wintercms | winter | >= 1.2.0 < 1.2.12 | 1.2.12 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for authenticated backend users sending specially crafted requests to modify their own roles or permissions within the Winter CMS backend — this is the core exploitation mechanism. ↗
- →Any authenticated backend user account (regardless of privilege level) is a potential attacker — monitor all backend users for unexpected role/permission changes, not just privileged ones. ↗
- →Audit the affected package 'winter/wn-backend-module' for versions prior to the fixed releases (1.0.477, 1.1.12, 1.2.12) in Composer lock files to identify vulnerable deployments. ↗
- ·The vulnerability affects Winter CMS versions prior to 1.0.477, 1.1.12, and 1.2.12 — all three branches are affected and each has its own fixed version. ↗
- ·No public exploit is currently available, reducing immediate mass-exploitation risk, but the EPSS exploitation probability is non-trivial at 0.1% (23.3rd percentile). ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Winter vulnerable to privilege escalation by authenticated backend users
ghsa·2026-03-12
CVE-2026-27591 [CRITICAL] CWE-284 Winter vulnerable to privilege escalation by authenticated backend users
Winter vulnerable to privilege escalation by authenticated backend users
## Impact
Affected versions of Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in.
To actively exploit this security issue, an attacker would need access to the Backend with a user account with any level of access.
The Winter CMS maintainers strongly recommend that all Winter CMS sites that have any reliance on the roles & permissions system to update immediately. Security fixes have been backported to all major versions of Winter (1.0, 1.1, and 1.2).
## Patches
Multiple fixes and defence in depth has been applied to prevent current an
OSV
Winter vulnerable to privilege escalation by authenticated backend users
osv·2026-03-12
CVE-2026-27591 [CRITICAL] Winter vulnerable to privilege escalation by authenticated backend users
Winter vulnerable to privilege escalation by authenticated backend users
## Impact
Affected versions of Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in.
To actively exploit this security issue, an attacker would need access to the Backend with a user account with any level of access.
The Winter CMS maintainers strongly recommend that all Winter CMS sites that have any reliance on the roles & permissions system to update immediately. Security fixes have been backported to all major versions of Winter (1.0, 1.1, and 1.2).
## Patches
Multiple fixes and defence in depth has been applied to prevent current an
No detection rules found.
No public exploits indexed.
2026-03-11
Published