LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-27591

CVE-2026-27591 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: March 12, 2026

Winter CMS - Broken Access Control

Published: March 11, 2026Updated: March 12, 2026Remote Exploitable

Overview

Winter CMS < 1.0.477, < 1.1.12, and < 1.2.12 contains a broken access control vulnerability caused by improper validation of role and permission modifications, letting authenticated backend users escalate privileges, exploit requires authenticated backend access.

Severity & Score

Severity: Critical
CVSS Score: 9.9
EPSS Score: 5.5%(Probability of exploitation in next 30 days)

Impact

Authenticated backend users can escalate their privileges, potentially gaining full administrative control.

Mitigation

Upgrade to versions 1.0.477, 1.1.12, or 1.2.12 or later.

References

Social Media Activity(3 posts)

TheHackerWire
TheHackerWire
@thehackerwire
Mar 13, 2026

šŸ”“ CVE-2026-27591 - Critical (9.9) Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modi... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-27591/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 13, 2026

šŸ”“ CVE-2026-27591 - Critical (9.9) Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modi... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-27591/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
Offensive Sequence
Offensive Sequence
@offseq
Mar 12, 2026

šŸšØ CRITICAL: CVE-2026-27591 in Winter CMS (<1.0.477, <1.1.12, <1.2.12) lets any authenticated backend user escalate to admin via crafted requests. Patch ASAP! Impact: full compromise. https://radar.offseq.com/threat/cve-2026-27591-cwe-284-improper-access-control-in--eac8002f #OffSeq #WinterCMS #CVE202627591 #infosec

View original post

Related Resources

Details

CVE ID
CVE-2026-27591
Severity
Critical
CVSS Score
9.9
Type
broken_access_control
Status
unconfirmed
EPSS
5.5%
Social Posts
3

CWE

  • CWE-284

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

5.5%Probability of exploitation in the next 30 days