Umbraco.CMS (nuget) security advisories

MEDIUM 5.4

NuGet

CVE-2026-46616

Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers

May 21, 2026

MEDIUM 4.6

NuGet

CVE-2026-46609

Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog

May 21, 2026

HIGH 7.2

NuGet

CVE-2026-31834

Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks

Mar 11, 2026

MEDIUM 6.7

NuGet

CVE-2026-31833

Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering

Mar 11, 2026

MEDIUM 5.4

NuGet

CVE-2026-31832

Umbraco Backoffice API Allows Unauthorized Modification of Domain Data

Mar 11, 2026

CRITICAL 10.0

NuGet

CVE-2025-67288

Umbraco CMS has an arbitrary file upload vulnerability

Dec 22, 2025

MEDIUM 4.9

NuGet

CVE-2025-66625

Umbraco Vulnerable to Improper File Access and Credential Exposure in Dictionary Import Functionality

Dec 9, 2025

MEDIUM 5.3

NuGet

CVE-2025-49147

Umbraco CMS disclosure of configured password requirements

Jun 24, 2025

MEDIUM 5.5

NuGet

CVE-2025-48953

Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads

Jun 4, 2025

MEDIUM 5.3

NuGet

CVE-2025-46736

Umbraco Makes User Enumeration Feasible Based on Timing of Login Response

May 6, 2025

MEDIUM 5.3

NuGet

CVE-2025-24011

Umbraco Allows User Enumeration Feasible Based On Management API Timing and Response Codes

Jan 21, 2025

HIGH 8.8

NuGet

CVE-2025-32017

Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users

Apr 9, 2025

MEDIUM 4.3

NuGet

CVE-2024-10761

XSS/HTML Injection Vulnerability in Umbraco Preview Badge

Jan 21, 2025

NONE 0.0

NuGet

CVE-2024-48925

Umbraco CMS Improper Access Control Vulnerability Allows Low-Privilege Users to Access Webhook API

Oct 22, 2024

MEDIUM 4.6

NuGet

CVE-2024-48927

Umbraco has a Potential Code Execution Risk When Viewing SVG Files in Full Screen in Backoffice

Oct 22, 2024

MEDIUM 4.2

NuGet

CVE-2024-48926

Umbraco CMS logout page displayed before session expiration

Oct 22, 2024

MEDIUM 4.2

NuGet

CVE-2024-48929

Umbraco CMS Has Incomplete Server Termination During Explicit Sign-Out

Oct 22, 2024

MEDIUM 5.4

NuGet

CVE-2024-43377

Umbraco CMS Improper Access Control vulnerability

Aug 20, 2024

NONE 0.0

NuGet

CVE-2023-49279

Stored XSS via SVG File Upload

Dec 13, 2023

MEDIUM 4.3

NuGet

CVE-2023-48313

DOM-XSS on Backoffice login screen.

Dec 13, 2023

NONE 0.0

NuGet

CVE-2023-49089

Using the directory back payload (“/../”) in a package name allows placement of package in other folders.

Dec 13, 2023

NONE 0.0

NuGet

CVE-2023-49278

Brute force exploit can be used to collect valid usernames

Dec 13, 2023

NONE 0.0

NuGet

CVE-2023-38694

Possible injection of HTML into user invite mails

Dec 13, 2023

LOW 3.7

NuGet

CVE-2023-49274

SMTP misconfiguration leading to "Forgot Password" exploit that leaks registered user email.

Dec 13, 2023

MEDIUM 5.4

NuGet

CVE-2023-49273

Privilege Escalation using Spoofing

Dec 13, 2023

NONE 0.0

NuGet

CVE-2023-48227

Backoffice User can bypass "Publish" restriction

Dec 13, 2023

HIGH 8.8

NuGet

CVE-2015-8814

Umbraco CMS vulnerable to CSRF

May 17, 2022

HIGH 8.2

NuGet

CVE-2015-8813

Umbraco CMS vulnerable to CSRF

May 17, 2022

Umbraco.CMS

Vulnerabilities

Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers

Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog

Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks

Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering

Umbraco Backoffice API Allows Unauthorized Modification of Domain Data

Umbraco CMS has an arbitrary file upload vulnerability

Umbraco Vulnerable to Improper File Access and Credential Exposure in Dictionary Import Functionality

Umbraco CMS disclosure of configured password requirements

Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads

Umbraco Makes User Enumeration Feasible Based on Timing of Login Response

Umbraco Allows User Enumeration Feasible Based On Management API Timing and Response Codes

Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users

XSS/HTML Injection Vulnerability in Umbraco Preview Badge

Umbraco CMS Improper Access Control Vulnerability Allows Low-Privilege Users to Access Webhook API

Umbraco has a Potential Code Execution Risk When Viewing SVG Files in Full Screen in Backoffice

Umbraco CMS logout page displayed before session expiration

Umbraco CMS Has Incomplete Server Termination During Explicit Sign-Out

Umbraco CMS Improper Access Control vulnerability

Stored XSS via SVG File Upload

DOM-XSS on Backoffice login screen.

Using the directory back payload (“/../”) in a package name allows placement of package in other folders.

Brute force exploit can be used to collect valid usernames

Possible injection of HTML into user invite mails

SMTP misconfiguration leading to "Forgot Password" exploit that leaks registered user email.

Privilege Escalation using Spoofing

Backoffice User can bypass "Publish" restriction

Umbraco CMS vulnerable to CSRF

Umbraco CMS vulnerable to CSRF

Start Securing