Moderate severityOSV Advisory· Published Jan 15, 2026· Updated Apr 7, 2026

Umbraco v8.14.1 - 'baseUrl' SSRF

CVE-2021-47776

Description

Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent, and GetRemoteDashboardCss endpoints to trigger unauthorized server-side requests to external hosts.

Affected products

Umbraco/Umbraco CMSOSV
Range: 4.7.2, Release-4.5.2, Release-4.6.0, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.exploit-db.com/exploits/50462ghsaexploitWEB
github.com/advisories/GHSA-h66j-xm43-47ppghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-47776ghsaADVISORY
our.umbraco.comghsaWEB
our.umbraco.commitreproduct
releases.umbraco.com/all-releasesghsaproductWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000