← Back to CVEs
CVE-2026-22254
NONE0.0
Description
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10.
CVE Details
CVSS v3.1 Score0.0
SeverityNONE
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredHIGH
User InteractionREQUIRED
Published2/6/2026
Last Modified2/20/2026
Sourcenvd
Honeypot Sightings0
Affected Products
wintercms:winter
Weaknesses (CWE)
CWE-79CWE-80
References
https://github.com/wintercms/winter/commit/8a7f74b004fcd19721764fc63af0cdb339d9fb65(security-advisories@github.com)
https://github.com/wintercms/winter/releases/tag/v1.2.10(security-advisories@github.com)
https://github.com/wintercms/winter/security/advisories/GHSA-m7gw-rffq-rxjm(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.