← Zuruck zu CVEs
CVE-2026-22254
NONE0.0
Beschreibung
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10.
CVE Details
CVSS v3.1 Bewertung0.0
SchweregradNONE
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:N
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienHIGH
BenutzerinteraktionREQUIRED
Veroffentlicht2/6/2026
Zuletzt geandert2/20/2026
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
wintercms:winter
Schwachen (CWE)
CWE-79CWE-80
Referenzen
https://github.com/wintercms/winter/commit/8a7f74b004fcd19721764fc63af0cdb339d9fb65(security-advisories@github.com)
https://github.com/wintercms/winter/releases/tag/v1.2.10(security-advisories@github.com)
https://github.com/wintercms/winter/security/advisories/GHSA-m7gw-rffq-rxjm(security-advisories@github.com)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.