XSS in Wintercms Winter

CVE-2026-22254

Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (3.1th percentile) — read the EPSS interpretation.

Affected products

Wintercms Winter — versions < 1.2.10

Weakness classification (CWE)

References

https://github.com/wintercms/winter/security/advisories/GHSA-m7gw-rffq-rxjm (x_refsource_CONFIRM)
https://github.com/wintercms/winter/commit/8a7f74b004fcd19721764fc63af0cdb339d9fb65 (x_refsource_MISC)
https://github.com/wintercms/winter/releases/tag/v1.2.10 (x_refsource_MISC)