CVE-2026-22254

CVSS v3.1

3.5

Low

Vector

AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Winter CMS versions prior to 1.2.10

Description Winter CMS versions before 1.2.10 allow users with access to the CMS Asset Manager to upload Scalable Vector Graphics (SVGs) without proper sanitization. An attacker needs access to the Backend with a user account possessing the cms.manage assets permission to exploit this issue. The cms.manage assets permission should be restricted to trusted administrators and developers.

Recommendations Upgrade to Winter CMS version 1.2.10 or later. As a workaround, apply commit 8a7f74b004fcd19721764fc63af0cdb339d9fb65 to your Winter CMS installation manually. Restrict the cms.manage assets permission to trusted administrators and developers.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-80

Related Identifiers

CVE-2026-22254

GHSA-M7GW-RFFQ-RXJM

Affected Products

Winter Cms

CVE-2026-22254

Weakness Enumeration

Related Identifiers

Affected Products

References · 10