CVE-2026-22254

Name of the Vulnerable Software and Affected Versions Winter CMS versions prior to 1.2.10

Description Winter CMS versions before 1.2.10 allow users with access to the CMS Asset Manager to upload Scalable Vector Graphics (SVGs) without proper sanitization. An attacker needs access to the Backend with a user account possessing the cms.manage assets permission to exploit this issue. The cms.manage assets permission should be restricted to trusted administrators and developers.

Recommendations Upgrade to Winter CMS version 1.2.10 or later. As a workaround, apply commit 8a7f74b004fcd19721764fc63af0cdb339d9fb65 to your Winter CMS installation manually. Restrict the cms.manage assets permission to trusted administrators and developers.