Security: wintercms/winter
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Privilege escalation by authenticated backend usersGHSA-pgpf-m8m4-6cg6 published
Mar 11, 2026 by LukeTowersCritical -
SVGs uploaded through the CMS AssetManager were not sanitizedGHSA-m7gw-rffq-rxjm published
Feb 4, 2026 by LukeTowersLow -
Sandbox bypass in Twig templates leading to data modification and deletionGHSA-xhw3-4j3m-hq53 published
Dec 9, 2024 by bennothommoHigh -
Local File Inclusion through Server Side Template Injection via LESS compilation of values provided to the Backend ColorPicker FormWidgetGHSA-2x7r-93ww-cxrq published
Dec 28, 2023 by LukeTowersLow -
Stored XSS through Backend ColorPicker FormWidgetGHSA-43w4-4j3c-jx29 published
Dec 28, 2023 by LukeTowersLow -
Stored XSS through privileged upload of Media Manager file followed by renamingGHSA-4wvw-75qh-fqjp published
Dec 28, 2023 by LukeTowersLow -
Stored XSS through privileged upload of SVG fileGHSA-wjw2-4j7j-6gc3 published
Jul 7, 2023 by LukeTowersLow -
Prototype pollution in Snowboard frameworkGHSA-3fh5-q6fg-w28q published
Oct 26, 2022 by bennothommoLow -
Bypass of CMS Safe Mode Security FeatureGHSA-q37h-jhf3-85cj published
Jul 15, 2022 by LukeTowersModerate