[LOW] Winter CMS has Stored Cross-site Scripting (XSS) in Asset Manager

PKSA-dsmp-sffr-jt46 CVE-2026-22254 GHSA-m7gw-rffq-rxjm

Affected version: <=1.2.9

Reported by:
GitHub

[HIGH] Winter CMS Modules allows a sandbox bypass in Twig templates leading to data modification and deletion

PKSA-8z3f-18br-spt2 CVE-2024-54149 GHSA-xhw3-4j3m-hq53

Affected version: <1.0.476|>=1.1.0,<1.1.11|>=1.2.0,<1.2.7

Reported by:
GitHub