Umbraco CMS contains a server-side request forgery vulnerability

GHSA-h66j-xm43-47pp · CVE-2021-47776

Published Jan 15, 2026 · Modified Feb 3, 2026

Description

Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent, and GetRemoteDashboardCss endpoints to trigger unauthorized server-side requests to external hosts.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-47776
PACKAGE https://github.com/umbraco/Umbraco-CMS
WEB https://our.umbraco.com
WEB https://releases.umbraco.com/all-releases
WEB https://www.exploit-db.com/exploits/50462

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes