Primary

Context

Winter CMS SVG Upload Sanitization Vulnerability in Asset Manager

Vulnerability

Patched

A vulnerability in Winter CMS versions prior to 1.2.10 allows users with the 'cms.manage_assets' permission to upload SVG files through the Asset Manager without automatic sanitization. This lack of sanitization could be exploited by an attacker with access to the Backend and the appropriate permissions.

Impact

The vulnerability could lead to the upload of malicious SVG files that are not properly sanitized, potentially allowing for the execution of harmful scripts or code.

Remediation

Users can upgrade to Winter CMS version 1.2.10 or apply the patch available in commit 8a7f74b004fcd19721764fc63af0cdb339d9fb65 to manually resolve this issue.

Added: Feb 6, 2026, 8:26 PM

Updated: Feb 6, 2026, 11:54 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

5.8

remediation

7.9

relevance

2.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

5.8

remediation

7.9

relevance

2.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Winter CMS SVG Upload Sanitization Vulnerability in Asset Manager

Vulnerability

Impact

Remediation

Affected Products

Winter CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating