Moderate severityNVD Advisory· Published Mar 10, 2026· Updated Mar 11, 2026

Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering

CVE-2026-31833

Description

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration (/.+/) in the UFM DOMPurify instance, event handler attributes such as onclick and onload, when used within Umbraco web components (umb-*, uui-*, ufm-*) were not filtered. This vulnerability is fixed in 16.5.1 and 17.2.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Umbraco.CmsNuGet	>= 16.2.0, < 16.5.1	16.5.1
Umbraco.CmsNuGet	>= 17.0.0, < 17.2.2	17.2.2

Affected products

Umbraco/Umbraco CMSv5
Range: >= 16.2.0, < 16.5.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-vrqc-59mw-qqg7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-31833ghsaADVISORY
github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-vrqc-59mw-qqg7ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000