{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T12:42:22.145","vulnerabilities":[{"cve":{"id":"CVE-2026-22254","sourceIdentifier":"security-advisories@github.com","published":"2026-02-06T20:16:10.057","lastModified":"2026-02-20T21:03:13.973","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10."},{"lang":"es","value":"Winter es un sistema de gestión de contenido (CMS) gratuito y de código abierto basado en el framework PHP Laravel. Las versiones de Winter CMS anteriores a la 1.2.10 permitían a los usuarios con acceso al Gestor de Activos del CMS subir SVGs sin sanitización automática. Para explotar activamente este problema de seguridad, un atacante necesitaría acceso al Backend con una cuenta de usuario con el siguiente permiso: cms.manage_assets. Los mantenedores de Winter CMS recomiendan encarecidamente que el permiso cms.manage_assets solo se reserve a administradores y desarrolladores de confianza en general. Esta vulnerabilidad está corregida en la 1.2.10."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:N","baseScore":0.0,"baseSeverity":"NONE","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":0.9,"impactScore":0.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N","baseScore":3.5,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":0.9,"impactScore":2.5}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"},{"lang":"en","value":"CWE-80"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*","versionEndExcluding":"1.2.10","matchCriteriaId":"588A92F0-EBF4-4A9A-A0A3-8BD4F9FDA03F"}]}]}],"references":[{"url":"https://github.com/wintercms/winter/commit/8a7f74b004fcd19721764fc63af0cdb339d9fb65","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/wintercms/winter/releases/tag/v1.2.10","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/wintercms/winter/security/advisories/GHSA-m7gw-rffq-rxjm","source":"security-advisories@github.com","tags":["Patch","Vendor Advisory"]}]}}]}