Umbraco CMS has an arbitrary file upload vulnerability

GHSA-54mj-vcvj-q3v5 · CVE-2025-67288

Published Dec 22, 2025 · Modified Feb 3, 2026

Description

An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file. While Umbraco provides hooks to perform file validation, it does not do implement filtering by default. Users are expected to implement their own validation.

Note: This vulnerability is disputed by Ubraco.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-67288
WEB https://github.com/github/advisory-database/pull/6633
WEB https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation
PACKAGE https://github.com/umbraco/Umbraco-CMS
WEB https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67288
WEB http://umbraco.com

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes