CVE-2026-22254
Unknown Unknown - Not Provided
SVG Upload Sanitization Bypass in Winter CMS Asset Manager

Publication date: 2026-02-06

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22254
EUVD
EUVD-2026-5618
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wintercms winter to 1.2.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22254 is a security vulnerability in Winter CMS versions before 1.2.10 related to the CMS Asset Manager module. It allows users with the cms.manage_assets permission to upload SVG files without automatic sanitization. This means that potentially malicious SVG content could be uploaded, which might contain harmful scripts or code.

To exploit this vulnerability, an attacker must have backend access with the cms.manage_assets permission, which is recommended to be restricted to trusted administrators and developers. The vulnerability is classified as CWE-80, indicating improper neutralization of script-related HTML tags, potentially enabling cross-site scripting (XSS) attacks via SVG files.

The issue was fixed in Winter CMS version 1.2.10 by implementing automatic sanitization of SVG files upon upload through the CMS Asset Manager.

Impact Analysis

If exploited, this vulnerability could allow an attacker with backend access and the cms.manage_assets permission to upload malicious SVG files that contain harmful scripts. This could lead to cross-site scripting (XSS) attacks within the CMS environment.

However, the impact is limited because exploitation requires high privileges and user interaction. The CVSS v3.1 base score is 0.0, indicating no direct impact on confidentiality, integrity, or availability of the system.

The main risk is to the security of the CMS backend environment and potentially to users interacting with the CMS if malicious SVG content is rendered without sanitization.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the upload of SVG files without sanitization through the Winter CMS Asset Manager by users with the cms.manage_assets permission.'}, {'type': 'paragraph', 'content': 'Detection can focus on identifying SVG file uploads to the CMS Asset Manager and verifying whether those SVG files have been sanitized.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to the CMS backend and file uploads, network detection might be limited, but you can audit backend user actions and uploaded files.'}, {'type': 'list_item', 'content': 'Check the version of Winter CMS; versions before 1.2.10 are vulnerable.'}, {'type': 'list_item', 'content': 'Review uploaded SVG files in the theme assets directory for presence of unsanitized or potentially malicious content.'}, {'type': 'list_item', 'content': 'Audit user accounts with cms.manage_assets permission to ensure only trusted users have this permission.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the resources, but general suggestions include:'}, {'type': 'list_item', 'content': "Use file system commands to list SVG files uploaded recently, e.g., `find /path/to/winter/themes -name '*.svg' -mtime -7` to find SVG files uploaded in the last 7 days."}, {'type': 'list_item', 'content': 'Manually inspect SVG files for suspicious scripts or tags.'}, {'type': 'list_item', 'content': 'Check Winter CMS version via the backend or by inspecting the installed version to confirm if it is before 1.2.10.'}] [2, 3]

Mitigation Strategies

The primary mitigation step is to upgrade Winter CMS to version 1.2.10 or later, where the vulnerability is fixed by automatic sanitization of SVG files upon upload.

If upgrading immediately is not possible, manually applying the fix from commit 8a7f74b (which implements SVG sanitization during uploads) can serve as a workaround.

Additionally, restrict the cms.manage_assets permission to only trusted administrators and developers to reduce the risk of exploitation.

  • Upgrade Winter CMS to version 1.2.10 or later.
  • Apply the patch from commit 8a7f74b if upgrade is not immediately feasible.
  • Review and limit user permissions, especially cms.manage_assets, to trusted users only.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22254. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart