← Retour aux CVEs
CVE-2026-22254
NONE0.0
Description
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10.
Details CVE
Score CVSS v3.10.0
SeveriteNONE
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisHIGH
Interaction utilisateurREQUIRED
Publie2/6/2026
Derniere modification2/20/2026
Sourcenvd
Observations honeypot0
Produits affectes
wintercms:winter
Faiblesses (CWE)
CWE-79CWE-80
References
https://github.com/wintercms/winter/commit/8a7f74b004fcd19721764fc63af0cdb339d9fb65(security-advisories@github.com)
https://github.com/wintercms/winter/releases/tag/v1.2.10(security-advisories@github.com)
https://github.com/wintercms/winter/security/advisories/GHSA-m7gw-rffq-rxjm(security-advisories@github.com)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.