Vulnerability Description
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10.
CVSS Score
NONE
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wintercms | Winter | < 1.2.10 |
Related Weaknesses (CWE)
References
- https://github.com/wintercms/winter/commit/8a7f74b004fcd19721764fc63af0cdb339d9fPatch
- https://github.com/wintercms/winter/releases/tag/v1.2.10ProductRelease Notes
- https://github.com/wintercms/winter/security/advisories/GHSA-m7gw-rffq-rxjmPatchVendor Advisory
FAQ
What is CVE-2026-22254?
CVE-2026-22254 is a vulnerability with a CVSS score of 0.0 (NONE). Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upl...
How severe is CVE-2026-22254?
CVE-2026-22254 has been rated NONE with a CVSS base score of 0.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-22254?
Check the references section above for vendor advisories and patch information. Affected products include: Wintercms Winter.