Umbraco CMS Dashboard frame cross site scripting
Description
A vulnerability was found in Umbraco CMS up to 10.7.7/12.3.6/13.5.2/14.3.1/15.1.1. It has been classified as problematic. Affected is an unknown function of the file /Umbraco/preview/frame?id{} of the component Dashboard. The manipulation of the argument culture leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.8.8, 13.5.3, 14.3.2 and 15.1.2 is able to address this issue. It is recommended to upgrade the affected component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Umbraco CMS up to versions 10.7.7/12.3.6/13.5.2/14.3.1/15.1.1 contains a reflected XSS vulnerability in the Dashboard preview endpoint via the culture parameter.
Vulnerability
Overview A cross-site scripting (XSS) vulnerability exists in Umbraco CMS versions up to 10.7.7, 12.3.6, 13.5.2, 14.3.1, and 15.1.1. The vulnerability is located in the file /Umbraco/preview/frame?id{}, part of the Dashboard component. The culture parameter is not properly sanitized, allowing an attacker to inject arbitrary JavaScript or HTML. This is a reflected XSS issue that can be triggered remotely without authentication [1][3].
Exploitation
The attack is performed over HTTP by crafting a malicious culture parameter in the preview frame URL. The attacker must convince a user with access to the Umbraco backoffice to click a specially crafted link. No special privileges are required to trigger the vulnerability, but user interaction (clicking the link) is necessary. The attack complexity is low, and the vector is remote [1][3].
Impact
Successful exploitation allows an attacker to execute arbitrary scripts in the context of the victim's browser session within the Umbraco backoffice. This can lead to data theft, session hijacking, or defacement. The confidentiality and integrity impact is considered low since only backoffice users are affected, and the scope is unchanged [3].
Mitigation
The vendor has released patches. Upgrading to Umbraco CMS version 10.8.8, 13.5.3, 14.3.2, or 15.1.2 resolves the issue. Users unable to upgrade should apply vendor-provided workarounds or restrict access to the preview endpoint [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Umbraco.CmsNuGet | >= 11.0.0, < 13.5.3 | 13.5.3 |
Umbraco.CmsNuGet | >= 14.0.0, < 14.3.2 | 14.3.2 |
Umbraco.CmsNuGet | >= 15.0.0, < 15.1.2 | 15.1.2 |
Umbraco.CmsNuGet | >= 10.8.7, < 10.8.8 | 10.8.8 |
Umbraco.Cms.Web.CommonNuGet | >= 11.0.0, < 13.5.3 | 13.5.3 |
Umbraco.Cms.Web.CommonNuGet | >= 14.0.0, < 14.3.2 | 14.3.2 |
Umbraco.Cms.Web.CommonNuGet | >= 15.0.0, < 15.1.2 | 15.1.2 |
Umbraco.Cms.Web.CommonNuGet | >= 10.8.7, < 10.8.8 | 10.8.8 |
Affected products
3- ghsa-coords2 versions
>= 11.0.0, < 13.5.3+ 1 more
- (no CPE)range: >= 11.0.0, < 13.5.3
- (no CPE)range: >= 11.0.0, < 13.5.3
- Umbraco/CMSv5Range: 10.7.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- drive.google.com/file/d/1YoZgdlS3QT7Xu005j9RO-FFUT8RbB0Da/viewghsabroken-linkexploitWEB
- github.com/advisories/GHSA-69cg-w8vm-h229ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-10761ghsaADVISORY
- vuldb.comghsathird-party-advisoryWEB
- github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-69cg-w8vm-h229ghsarelatedWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.