103 matches found
CVE-2026-27591
Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...
PT-2026-25530
Recently I discovered CVE-2026-32593 while testing a Winter CMS plugin. For more info, check this write-up: https://t.co/5CCGUR9qMr infosec bugbounty cybersecurity websecurity appsec cve securityresearch pentesting bugbountytips https://t.co/RdxvJ4mFce...
Winter vulnerable to privilege escalation by authenticated backend users
Impact Affected versions of Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in. To actively exploit this security...
EUVD-2026-11406
Winter vulnerable to privilege escalation by authenticated backend users...
GHSA-PGPF-M8M4-6CG6 Winter vulnerable to privilege escalation by authenticated backend users
Impact Affected versions of Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in. To actively exploit this security...
CVE-2026-27591 Winter: Privilege escalation by authenticated backend users
Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...
CVE-2026-27591 Winter: Privilege escalation by authenticated backend users
Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...
CVE-2026-27591 Winter: Privilege escalation by authenticated backend users
Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...
CVE-2026-27591
Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...
CVE-2026-22254
Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would...
CVE-2026-22254
Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would...
CVE-2026-22254
Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would...
CVE-2026-22254 Winter Affected by Stored Cross-Site Scripting (XSS) in Asset Manager
Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would...
CVE-2026-22254
Winter CMS (Laravel-based) versions prior to 1.2.10 allow users with access to the CMS Asset Manager and the cms.manage_assets permission to upload SVGs without automatic sanitization, enabling stored XSS via specially crafted SVG uploads. The vulnerability requires backend access with the mentio...
Winter 安全漏洞
Winter is a free and open-source content management system developed using the Laravel PHP framework. Versions of Winter prior to 1.2.10 contained security vulnerabilities. These vulnerabilities stemmed from allowing users with access to the CMS resource manager to upload SVG files that were not...
Winter CMS has Stored Cross-site Scripting (XSS) in Asset Manager
Impact Affected versions of Winter CMS allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manageasset...
GHSA-M7GW-RFFQ-RXJM Winter CMS has Stored Cross-site Scripting (XSS) in Asset Manager
Impact Affected versions of Winter CMS allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manageasset...
PT-2026-6448
Impact Affected versions of Winter CMS allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage asse...
PT-2026-6545
Name of the Vulnerable Software and Affected Versions Winter CMS versions prior to 1.2.10 Description Winter CMS versions before 1.2.10 allow users with access to the CMS Asset Manager to upload Scalable Vector Graphics SVGs without proper sanitization. An attacker needs access to the Backend wit...
EUVD-2022-7004
Malicious code in bioql PyPI...