CVE-2026-22254 NONE

CVE-2026-22254: Winter Affected by Stored Cross-Site Scripting (XSS) in Asset Manager

Vendor Wintercms

Product winter

Weakness CWE-79 · XSS

Published February 6, 2026

Last update February 9, 2026

View on NVD All CVEs

CVSS base score

0.0/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:N

What the vulnerability does

01Description

Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10.

Key dates

02Disclosure timeline

February 6, 2026 CVE published

February 9, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-22254 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2026-22254: Winter Affected by Stored Cross-Site Scripting (XSS) in Asset Manager

01Description

02Disclosure timeline

03References

04Related CVE