{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-30T02:05:08.569","vulnerabilities":[{"cve":{"id":"CVE-2026-27591","sourceIdentifier":"security-advisories@github.com","published":"2026-03-11T22:16:32.290","lastModified":"2026-06-17T10:27:21.463","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any level of access. This vulnerability is fixed in 1.0.477, 1.1.12, and 1.2.12."},{"lang":"es","value":"Winter es un sistema de gestión de contenido (CMS) gratuito y de código abierto basado en el framework PHP Laravel. Antes de las versiones 1.0.477, 1.1.12 y 1.2.12, Winter CMS permitía a los usuarios autenticados del backend escalar el nivel de acceso de sus cuentas al sistema modificando los roles / permisos asignados a su cuenta a través de solicitudes especialmente diseñadas al backend mientras estaban conectados. Para explotar activamente este problema de seguridad, un atacante necesitaría acceso al Backend con una cuenta de usuario con cualquier nivel de acceso. Esta vulnerabilidad está corregida en las versiones 1.0.477, 1.1.12 y 1.2.12."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"wintercms","product":"winter","versions":[{"version":">= 1.2.0, < 1.2.12","status":"affected"},{"version":">= 1.1.0, < 1.1.12","status":"affected"},{"version":"< 1.0.477","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":6.0}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-03-12T14:22:14.030785Z","id":"CVE-2026-27591","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-284"},{"lang":"en","value":"CWE-639"},{"lang":"en","value":"CWE-915"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*","versionEndExcluding":"1.0.477","matchCriteriaId":"A170C0BF-F88A-484A-A4A4-D87E966EF818"},{"vulnerable":true,"criteria":"cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*","versionStartIncluding":"1.1.0","versionEndExcluding":"1.1.12","matchCriteriaId":"62491B0E-F94A-4832-B005-BE7F30B61FD4"},{"vulnerable":true,"criteria":"cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*","versionStartIncluding":"1.2.0","versionEndExcluding":"1.2.12","matchCriteriaId":"C5E7A265-618D-4020-A8D9-263759E5EDFA"}]}]}],"references":[{"url":"https://github.com/wintercms/winter/security/advisories/GHSA-pgpf-m8m4-6cg6","source":"security-advisories@github.com","tags":["Patch","Vendor Advisory"]},{"url":"https://wintercms.com/releases/v1.0.477","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://wintercms.com/releases/v1.1.12","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://wintercms.com/releases/v1.2.12","source":"security-advisories@github.com","tags":["Release Notes"]}]}}]}