Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog

Vulnerability

Overview CVE-2026-46609 is a cross-site scripting (XSS) vulnerability in Umbraco CMS, specifically in the backoffice confirmation dialog. The issue arises because user-supplied input in a certain field is rendered in the confirmation dialog without proper output encoding, allowing authenticated users to inject arbitrary HTML or JavaScript [1][2].

Exploitation and

Attack Surface An attacker must be an authenticated backoffice user to exploit this vulnerability. The input is stored and then displayed in a confirmation dialog, meaning the attacker can craft a payload that executes in the context of other users who view the dialog. The attack requires low privileges (authenticated user) and user interaction (the victim must click to confirm) [2].

Impact

Successful exploitation allows the attacker to inject HTML or JavaScript, potentially leading to data theft, session hijacking, or other malicious actions within the backoffice scope. The vulnerability affects all versions from 14.0.0 up to and including 17.3.5 [2].

Mitigation

The vulnerability has been patched in Umbraco CMS version 17.4.0. Users are advised to upgrade immediately to this or a later version. No known workarounds are available [1][2].