Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering

GHSA-vrqc-59mw-qqg7 · CVE-2026-31833

Published Mar 11, 2026 · Modified Mar 13, 2026

Description

An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration (/.+/) in the UFM DOMPurify instance, event handler attributes such as onclick and onload, when used within Umbraco web components (umb-*, uui-*, ufm-*) were not filtered.

Impact

As property type descriptions support Markdown/HTML via the UFM rendering pipeline, injected event handlers are rendered in the backoffice interface, resulting in a stored XSS affecting other backoffice users.

Patches

The issue is patched in 16.5.1 and 17.2.2.

Workarounds

There is no workaround other than upgrading.

References

https://docs.umbraco.com/umbraco-cms/reference/umbraco-flavored-markdown

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes