๐Ÿ›ก๏ธ CVE-2026-22254
๐ŸŸข CVSS 2.0 โ€” Low โœ… No Known Exploit CWE-79 NVD
2.0
CVSS Score
0 Low4 Medium7 High9 Critical10

Description

Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10.

Details

Severity NONE
CVSS Score 2.0
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:N
CWE CWE-79
Public Exploit โœ… No
Source NVD
Published 2026-02-06
Updated 2026-06-02
Modified 2026-02-20

Affected Packages

Software From version Fixed in
winter โ€” 1.2.10
winter/wn-cms-module โ€” 1.2.10

Similar Threats

Exploit Protection

Help block exploit attempts

BotEraser is designed to detect and help reduce malicious bot traffic that may target known vulnerabilities on your site.

Try BotEraser Free โ†’

No credit card required  ยท  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.