Description
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10.
Published: 2026-02-06
Score: 0 Low
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) in Winter CMS Asset Manager
Action: Patch Now
AI Analysis

Impact

A stored XSS flaw exists in the Asset Manager of Winter CMS versions prior to 1.2.10. The flaw allows a user with cms.manage_assets permission to upload aggressively crafted SVG files that are not automatically sanitized. When stored and later requested, the malicious script executes in any browser that loads the asset, potentially compromising confidentiality, integrity, or availability of the affected user’s session. The vulnerability is categorized under CWE‑79 and CWE‑80.

Affected Systems

The issue affects installations of Winter CMS older than version 1.2.10. All users who can access the Asset Manager with the cms.manage_assets permission are at risk. The fix is released in version 1.2.10 and later.

Risk and Exploitability

The EPSS score is below 1% and the vulnerability is not included in the CISA KEV catalog, indicating a low probability of widespread exploitation. Exploitation requires that the attacker already possess a backend account with the cms.manage_assets privilege or compromise an account with that privilege. Attackers can then upload a malicious SVG via the Asset Manager, which when viewed by any logged‑in user will inject JavaScript into the page. Because the script runs with the privileges of the viewing user, an attacker could hijack sessions, steal cookies, or perform phishing actions.

Generated by OpenCVE AI on April 17, 2026 at 22:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Winter CMS 1.2.10 or later, which removes the unsanitized SVG upload path.
  • Restrict the cms.manage_assets permission to trusted administrators only; revoke it from all other roles.
  • If an upgrade is not immediately possible, disable SVG uploads in the Asset Manager or implement server‑side sanitization of uploaded files to remove embedded scripts.

Generated by OpenCVE AI on April 17, 2026 at 22:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m7gw-rffq-rxjm Winter CMS has Stored Cross-site Scripting (XSS) in Asset Manager
History

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wintercms
Wintercms winter
Vendors & Products Wintercms
Wintercms winter

Fri, 06 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10.
Title Winter Affected by Stored Cross-Site Scripting (XSS) in Asset Manager
Weaknesses CWE-79
CWE-80
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:N'}

Subscriptions

Wintercms Winter
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-09T15:28:17.194Z

Reserved: 2026-01-07T05:19:12.922Z

Link: CVE-2026-22254

cve-icon Vulnrichment

Updated: 2026-02-09T15:19:27.873Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T20:16:10.057

Modified: 2026-02-20T21:03:13.973

Link: CVE-2026-22254

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:45:29Z

Weaknesses