Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog

GHSA-vr9v-27gg-qgx4 · CVE-2026-46609

Published May 21, 2026 · Modified Jun 10, 2026

Description

Impact

Authenticated users are able to inject HTML vulnerability into an input field, which is rendered in the confirmation dialog without proper output encoding.

Patches

This issue has been patched in 17.4.0

References

WEB https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-vr9v-27gg-qgx4
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-46609
PACKAGE https://github.com/umbraco/Umbraco-CMS

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes