CVE-2026-27198: Formwork CMS Improper Privilege Management in User Creation
CVE-2026-27198 is verified against getformwork/formwork · composer affected versions: >= 2.0.0, <= 2.3.3 fixed version: 2.3.4 This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00111.
pruva-verify REPRO-2026-00111 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00111/artifacts/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Application fails to enforce role-based authorization during account creation. An authenticated user with editor role can create new accounts with administrative privileges, leading to full administrative access and CMS compromise.
Application fails to enforce role-based authorization during account creation. An authenticated user with editor role can create new accounts with administrative privileges, leading to full administrative access and CMS compromise.
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.
No artifacts available