CVE-2026-27198

HIGH

Formwork 2.0.0-2.3.3 - Privilege Escalation

Title source: llm

Description

Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.

Exploits (1)

github WRITEUP
by G3XAR · poc
https://github.com/G3XAR/Security-Research/tree/main/CVE-2026-27198

References (3)

Scores

CVSS v3 8.8
EPSS 0.0002
EPSS Percentile 4.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-269
Status published
Products (2)
formwork_project/formwork 2.0.0 - 2.3.4
getformwork/formwork 2.0.0 - 2.3.4Packagist
Published Feb 21, 2026
Tracked Since Feb 21, 2026