VYPR
← All advisories
Low severityNVD Advisory· Published Feb 6, 2026· Updated Feb 9, 2026

Winter Affected by Stored Cross-Site Scripting (XSS) in Asset Manager

CVE-2026-22254

Description

Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
winter/wn-cms-modulePackagist
< 1.2.101.2.10

Affected products

1

Patches

1
8a7f74b004fc

Sanitize SVGs when uploaded to the theme assets

https://github.com/wintercms/winterLuke TowersJan 7, 2026via ghsa
commit
1 file changed · +28 18
  • modules/cms/widgets/AssetList.php+28 18 modified
    @@ -1,22 +1,25 @@
-<?php namespace Cms\Widgets;
-
-use Str;
-use Url;
-use File;
-use Lang;
-use Input;
-use Request;
-use Response;
-use Cms\Classes\Theme;
-use Cms\Classes\Asset;
+<?php
+
+namespace Cms\Widgets;
+
 use Backend\Classes\WidgetBase;
-use ApplicationException;
-use Symfony\Component\HttpFoundation\File\UploadedFile;
-use Winter\Storm\Filesystem\Definitions as FileDefinitions;
-use RecursiveIteratorIterator;
-use RecursiveDirectoryIterator;
+use Cms\Classes\Asset;
+use Cms\Classes\Theme;
 use DirectoryIterator;
 use Exception;
+use Illuminate\Support\Facades\Lang;
+use Illuminate\Support\Facades\Request;
+use Illuminate\Support\Facades\Response;
+use RecursiveDirectoryIterator;
+use RecursiveIteratorIterator;
+use Symfony\Component\HttpFoundation\File\UploadedFile;
+use Winter\Storm\Exception\ApplicationException;
+use Winter\Storm\Filesystem\Definitions as FileDefinitions;
+use Winter\Storm\Support\Facades\File;
+use Winter\Storm\Support\Facades\Input;
+use Winter\Storm\Support\Facades\Url;
+use Winter\Storm\Support\Str;
+use Winter\Storm\Support\Svg;
 
 /**
  * CMS asset list widget.
@@ -642,7 +645,10 @@ public function onUpload()
         $fileName = null;
 
         try {
-            $uploadedFile = Input::file('file_data');
+            /**
+             * @var \Illuminate\Http\UploadedFile
+             */
+            $uploadedFile = Request::file('file_data');
 
             if (!is_object($uploadedFile)) {
                 return;
@@ -678,10 +684,14 @@ public function onUpload()
                 ));
             }
 
+            if (File::extension($fileName) === 'svg') {
+                File::put($uploadedFile->getRealPath(), Svg::extract($uploadedFile->getRealPath()));
+            }
+
             /*
              * Accept the uploaded file
              */
-            $uploadedFile = $uploadedFile->move($this->getCurrentPath(), $uploadedFile->getClientOriginalName());
+            $uploadedFile = $uploadedFile->move($this->getCurrentPath(), $fileName);
 
             File::chmod($uploadedFile->getRealPath());

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

1