The threat to critical infrastructure has changed. Has your readiness?

Critical infrastructure CI organizations underpin national security, public safety, and the economy. In 2026, the cyber threat landscape facing these sectors is structurally different than it was even two years ago. What Microsoft Threat Intelligence is observing across critical infrastructure...

The threat to critical infrastructure has changed. Has your readiness?

Critical infrastructure CI organizations underpin national security, public safety, and the economy. In 2026, the cyber threat landscape facing these sectors is structurally different than it was even two years ago. What Microsoft Threat Intelligence is observing across critical infrastructure...

CVE-2026-27591

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...

PT-2026-25530

Recently I discovered CVE-2026-32593 while testing a Winter CMS plugin. For more info, check this write-up: https://t.co/5CCGUR9qMr infosec bugbounty cybersecurity websecurity appsec cve securityresearch pentesting bugbountytips https://t.co/RdxvJ4mFce...

Winter vulnerable to privilege escalation by authenticated backend users

Impact Affected versions of Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in. To actively exploit this security...

EUVD-2026-11406

Winter vulnerable to privilege escalation by authenticated backend users...

GHSA-PGPF-M8M4-6CG6 Winter vulnerable to privilege escalation by authenticated backend users

Impact Affected versions of Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in. To actively exploit this security...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the backend account management in FormController. An attacker can gain unauthorized access to higher privilege levels by sending specially crafted requests while authenticated as a...

CVE-2026-27591

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...

CVE-2026-27591 Winter: Privilege escalation by authenticated backend users

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...

CVE-2026-27591 Winter: Privilege escalation by authenticated backend users

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...

CVE-2026-27591 Winter: Privilege escalation by authenticated backend users

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...

CVE-2026-27591

CVE-2026-27591 pertains to Winter CMS (Laravel-based). The issue allows authenticated backend users to escalate their own access by mutating roles/permissions via specially crafted backend requests while logged in. Root cause is an authorization weakness in the backend account management flow. Im...

CVE-2026-27591

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...

Winter 安全漏洞

Winter is a free and open-source content management system based on the Laravel PHP framework developed by Winter. Versions of Winter prior to 1.0.477, 1.1.12, and 1.2.12 contain security vulnerabilities. These vulnerabilities stem from improper permission allocation, which may allow authenticate...

PT-2026-24850

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...

CVE-2026-1671

The Activity Log for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the winteractivitylogaction function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access...

CVE-2026-22254

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would...

CVE-2026-22254

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would...

CVE-2026-22254 Winter Affected by Stored Cross-Site Scripting (XSS) in Asset Manager

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would...