CVE-2026-27591: Winter Form Context User Controlled Override
formGetContext() returns a value derived from the 'form_context' POST parameter, allowing authenticated users to override the server-side form rendering context. Combined with context-specific form field visibility, this lets clients coerce a more permissive context that exposes privileged fields (e.g. role_id, is_superuser, permissions) and persist arbitrar
greprules fetch cve-2026-27591-winter-form-context-user-controlled-override --engine opengrepDescription
formGetContext() returns a value derived from the 'form_context' POST parameter, allowing authenticated users to override the server-side form rendering context. Combined with context-specific form field visibility, this lets clients coerce a more permissive context that exposes privileged fields (e.g. role_id, is_superuser, permissions) and persist arbitrar
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.