Browse all 9 CVE security advisories affecting wintercms. AI-powered Chinese analysis, POCs, and references for each vulnerability.
WinterCMS serves as a flexible PHP content management system for building websites and applications. Historically, it has been susceptible to multiple remote code execution vulnerabilities, cross-site scripting flaws, and privilege escalation issues, accounting for its nine recorded CVEs. The platform's modular architecture introduces potential attack surfaces through plugins and themes. While no major public security incidents have been widely documented, the consistent pattern of vulnerabilities suggests developers should implement strict input validation, principle of least privilege configurations, and keep the system updated to mitigate risks associated with its historically vulnerable components.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-27591 | Winter: Privilege escalation by authenticated backend users — winterCWE-284 | 10.0 | Critical | 2026-03-11 |
| CVE-2026-22254 | Winter Affected by Stored Cross-Site Scripting (XSS) in Asset Manager — winterCWE-79 | - | - | 2026-02-06 |
| CVE-2024-54149 | Winter CMS Modules allows a sandbox bypass in Twig templates leading to data modification and deletion — winterCWE-184 | 8.5 | High | 2024-12-09 |
| CVE-2023-52085 | Winter CMS Local File Inclusion through Server Side Template Injection — winterCWE-22 | 3.3 | Low | 2023-12-29 |
| CVE-2023-52084 | Winter CMS Stored XSS through Backend ColorPicker FormWidget — winterCWE-79 | 2.0 | Low | 2023-12-28 |
| CVE-2023-52083 | Stored XSS through privileged upload of Media Manager file followed by renaming — winterCWE-79 | 2.0 | Low | 2023-12-28 |
| CVE-2023-37269 | Winter CMS vulnerable to stored XSS through privileged upload of SVG file — winterCWE-79 | 2.0 | Low | 2023-07-07 |
| CVE-2022-39357 | Winter vulnerable to Prototype Pollution in Snowboard framework — winterCWE-1321 | 8.1 | High | 2022-10-26 |
This page lists every published CVE security advisory associated with wintercms. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.