← Volver a CVEs
CVE-2026-22254
NONE0.0
Descripcion
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10.
Detalles CVE
Puntuacion CVSS v3.10.0
SeveridadNONE
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosHIGH
Interaccion usuarioREQUIRED
Publicado2/6/2026
Ultima modificacion2/20/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
wintercms:winter
Debilidades (CWE)
CWE-79CWE-80
Referencias
https://github.com/wintercms/winter/commit/8a7f74b004fcd19721764fc63af0cdb339d9fb65(security-advisories@github.com)
https://github.com/wintercms/winter/releases/tag/v1.2.10(security-advisories@github.com)
https://github.com/wintercms/winter/security/advisories/GHSA-m7gw-rffq-rxjm(security-advisories@github.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.