CVE-2026-27198
Formwork Improperly Manages Privileges During User Creation
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.
| CWE | CWE-269 |
| Vendor | getformwork |
| Product | formwork |
| Published | Feb 21, 2026 |
| Last Updated | Feb 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for getformwork formwork
Be the first to know when new high vulnerabilities affecting getformwork formwork are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
getformwork / formwork
>= 2.0.0, < 2.3.4