Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2026-22254

Severity CVSS v4.0:
Pending analysis
Type:
CWE-79 Cross-Site Scripting (XSS)
Publication date:
06/02/2026
Last modified:
06/02/2026

Description

Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10.

Impact

Vector 3.x
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 0.00 NONE
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): None

Base Score 3.x
0.00
Severity 3.x
NONE

References to Advisories, Solutions, and Tools