CVE-2026-22254

EUVD-2026-5618

06.02.2026, 20:16

Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	0 NONE	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:N
GitHub_M	CNA	0 NONE	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
wintercms	winter	𝑥 < 1.2.10

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/wintercms/winter/commit/8a7f74b004fcd19721764fc63af0cdb339d9fb65

https://github.com/wintercms/winter/releases/tag/v1.2.10

https://github.com/wintercms/winter/security/advisories/GHSA-m7gw-rffq-rxjm