Description
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any level of access. This vulnerability is fixed in 1.0.477, 1.1.12, and 1.2.12.
Published: 2026-03-11
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

Winter CMS allows authenticated backend users to modify the roles and permissions assigned to their account through specially crafted requests while logged in. This flaw enables a user to raise their own level of access within the CMS, effectively granting higher privileges than originally granted.

Affected Systems

All releases of Winter CMS older than 1.0.477, version 1.1.12, and version 1.2.12 are affected. The vulnerability is specific to the Winter product from the wintercms vendor.

Risk and Exploitability

The CVSS score is 10, indicating critical severity. The EPSS score is under 1%, suggesting a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated backend session and the ability to send crafted requests; a successful exploit would allow the attacker to alter role assignments and elevate privileges.

Generated by OpenCVE AI on March 19, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading Winter CMS to version 1.0.477, 1.1.12, or 1.2.12 (depending on your release).
  • Verify that the upgraded version is running and that role-permission modifications are no longer possible through crafted requests.

Generated by OpenCVE AI on March 19, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pgpf-m8m4-6cg6 Winter vulnerable to privilege escalation by authenticated backend users
History

Thu, 19 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wintercms
Wintercms winter
Vendors & Products Wintercms
Wintercms winter

Wed, 11 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any level of access. This vulnerability is fixed in 1.0.477, 1.1.12, and 1.2.12.
Title Winter: Privilege escalation by authenticated backend users
Weaknesses CWE-284
CWE-639
CWE-915
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Wintercms Winter
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T14:23:06.447Z

Reserved: 2026-02-20T17:40:28.451Z

Link: CVE-2026-27591

cve-icon Vulnrichment

Updated: 2026-03-12T14:23:02.378Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T22:16:32.290

Modified: 2026-03-19T17:37:17.370

Link: CVE-2026-27591

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:57Z

Weaknesses