NuGet package
umbraco.cms
pkg:nuget/umbraco.cms
Vulnerabilities (26)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-31834 | — | >= 15.3.1, < 16.5.1 | 16.5.1 | Mar 10, 2026 | Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to in | ||
| CVE-2026-31833 | — | >= 16.2.0, < 16.5.1 | 16.5.1 | Mar 10, 2026 | Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration (/.+/) in the UFM DOMPurify instanc | ||
| CVE-2026-31832 | — | >= 14.0.0, < 16.5.1 | 16.5.1 | Mar 10, 2026 | Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue | ||
| CVE-2025-67288 | — | <= 16.3.3 | — | Dec 22, 2025 | An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system ad | ||
| CVE-2025-66625 | — | >= 10.0.0, < 13.12.1 | 13.12.1 | Dec 9, 2025 | Umbraco is an ASP.NET CMS. Due to unsafe handling and deletion of temporary files in versions 10.0.0 through 13.12.0, during the dictionary upload process an attacker with access to the backoffice can trigger predictable requests to temporary file paths. The application’s error r | ||
| CVE-2025-49147 | — | >= 10.0.0, < 10.8.11 | 10.8.11 | Jun 24, 2025 | Umbraco, a free and open source .NET content management system, has a vulnerability in versions 10.0.0 through 10.8.10 and 13.0.0 through 13.9.1. Via a request to an anonymously authenticated endpoint it's possible to retrieve information about the configured password requirement | ||
| CVE-2025-48953 | — | >= 14.0.0, < 15.4.2 | 15.4.2 | Jun 3, 2025 | Umbraco is an ASP.NET content management system (CMS). Starting in version 14.0.0 and prior to versions 15.4.2 and 16.0.0, it's possible to upload a file that doesn't adhere with the configured allowable file extensions via a manipulated API request. The issue is patched in versi | ||
| CVE-2025-46736 | — | >= 11.0.0-rc1, < 13.8.1 | 13.8.1 | May 6, 2025 | Umbraco is a free and open source .NET content management system. Prior to versions 10.8.10 and 13.8.1, based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists. The issue is patched in versions 10.8.10 and 13.8.1. No kn | ||
| CVE-2025-32017 | — | >= 14.0.0--preview004, < 14.3.4 | 14.3.4 | Apr 8, 2025 | Umbraco is a free and open source .NET content management system. Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location. The issue affects Umbraco 14+ and is pat | ||
| CVE-2025-24011 | — | >= 14.0.0, < 14.3.2 | 14.3.2 | Jan 21, 2025 | Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versio | ||
| CVE-2024-10761 | — | >= 11.0.0, < 13.5.3 | 13.5.3 | Nov 4, 2024 | A vulnerability was found in Umbraco CMS up to 10.7.7/12.3.6/13.5.2/14.3.1/15.1.1. It has been classified as problematic. Affected is an unknown function of the file /Umbraco/preview/frame?id{} of the component Dashboard. The manipulation of the argument culture leads to cross si | ||
| CVE-2024-48929 | — | >= 13.0.0, < 13.5.2 | 13.5.2 | Oct 22, 2024 | Umbraco is a free and open source .NET content management system. In versions on the 13.x branch prior to 13.5.2 and versions on the 10.x branch prior to 10.8.7, during an explicit sign-out, the server session is not fully terminated. Versions 13.5.2 and 10.8.7 contain a patch fo | ||
| CVE-2024-48927 | — | >= 10.0.0, < 10.8.7 | 10.8.7 | Oct 22, 2024 | Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. There is a potential risk of code execution for Backoffice users when they “preview” S | ||
| CVE-2024-48926 | — | >= 13.0.0, < 13.5.2 | 13.5.2 | Oct 22, 2024 | Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The Backoffice displays the logout page with a session timeout message befo | ||
| CVE-2024-48925 | — | >= 14.0.0, < 14.3.0 | 14.3.0 | Oct 22, 2024 | Umbraco, a free and open source .NET content management system, has an improper access control issue starting in version 14.0.0 and prior to version 14.3.0. The issue allows low-privilege users to access the webhook API and retrieve information that should be restricted to users | ||
| CVE-2024-43377 | — | >= 14.0.0, < 14.1.2 | 14.1.2 | Aug 20, 2024 | Umbraco CMS is an ASP.NET CMS. An authenticated user can access a few unintended endpoints. This issue is fixed in 14.1.2. | ||
| CVE-2023-49279 | — | >= 7.0.0, < 7.15.11 | 7.15.11 | Dec 12, 2023 | Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media | ||
| CVE-2023-49278 | — | >= 8.0.0, < 8.18.10 | 8.18.10 | Dec 12, 2023 | Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a brute force exploit can be used to collect valid usernames. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue. | ||
| CVE-2023-49274 | — | >= 8.0.0, < 8.18.10 | 8.18.10 | Dec 12, 2023 | Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a user enumeration attack is possible when SMTP is not set up correctly, but reset password is enabled. Versions 8.18.10, 10.8.1, and 12.3.4 contain | ||
| CVE-2023-49273 | — | >= 8.0.0, < 8.18.10 | 8.18.10 | Dec 12, 2023 | Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges (Editor, etc.) are able to access some unintended endpoints. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this |
- CVE-2026-31834Mar 10, 2026affected >= 15.3.1, < 16.5.1fixed 16.5.1
Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to in
- CVE-2026-31833Mar 10, 2026affected >= 16.2.0, < 16.5.1fixed 16.5.1
Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration (/.+/) in the UFM DOMPurify instanc
- CVE-2026-31832Mar 10, 2026affected >= 14.0.0, < 16.5.1fixed 16.5.1
Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue
- CVE-2025-67288Dec 22, 2025affected <= 16.3.3
An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system ad
- CVE-2025-66625Dec 9, 2025affected >= 10.0.0, < 13.12.1fixed 13.12.1
Umbraco is an ASP.NET CMS. Due to unsafe handling and deletion of temporary files in versions 10.0.0 through 13.12.0, during the dictionary upload process an attacker with access to the backoffice can trigger predictable requests to temporary file paths. The application’s error r
- CVE-2025-49147Jun 24, 2025affected >= 10.0.0, < 10.8.11fixed 10.8.11
Umbraco, a free and open source .NET content management system, has a vulnerability in versions 10.0.0 through 10.8.10 and 13.0.0 through 13.9.1. Via a request to an anonymously authenticated endpoint it's possible to retrieve information about the configured password requirement
- CVE-2025-48953Jun 3, 2025affected >= 14.0.0, < 15.4.2fixed 15.4.2
Umbraco is an ASP.NET content management system (CMS). Starting in version 14.0.0 and prior to versions 15.4.2 and 16.0.0, it's possible to upload a file that doesn't adhere with the configured allowable file extensions via a manipulated API request. The issue is patched in versi
- CVE-2025-46736May 6, 2025affected >= 11.0.0-rc1, < 13.8.1fixed 13.8.1
Umbraco is a free and open source .NET content management system. Prior to versions 10.8.10 and 13.8.1, based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists. The issue is patched in versions 10.8.10 and 13.8.1. No kn
- CVE-2025-32017Apr 8, 2025affected >= 14.0.0--preview004, < 14.3.4fixed 14.3.4
Umbraco is a free and open source .NET content management system. Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location. The issue affects Umbraco 14+ and is pat
- CVE-2025-24011Jan 21, 2025affected >= 14.0.0, < 14.3.2fixed 14.3.2
Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versio
- CVE-2024-10761Nov 4, 2024affected >= 11.0.0, < 13.5.3fixed 13.5.3
A vulnerability was found in Umbraco CMS up to 10.7.7/12.3.6/13.5.2/14.3.1/15.1.1. It has been classified as problematic. Affected is an unknown function of the file /Umbraco/preview/frame?id{} of the component Dashboard. The manipulation of the argument culture leads to cross si
- CVE-2024-48929Oct 22, 2024affected >= 13.0.0, < 13.5.2fixed 13.5.2
Umbraco is a free and open source .NET content management system. In versions on the 13.x branch prior to 13.5.2 and versions on the 10.x branch prior to 10.8.7, during an explicit sign-out, the server session is not fully terminated. Versions 13.5.2 and 10.8.7 contain a patch fo
- CVE-2024-48927Oct 22, 2024affected >= 10.0.0, < 10.8.7fixed 10.8.7
Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. There is a potential risk of code execution for Backoffice users when they “preview” S
- CVE-2024-48926Oct 22, 2024affected >= 13.0.0, < 13.5.2fixed 13.5.2
Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The Backoffice displays the logout page with a session timeout message befo
- CVE-2024-48925Oct 22, 2024affected >= 14.0.0, < 14.3.0fixed 14.3.0
Umbraco, a free and open source .NET content management system, has an improper access control issue starting in version 14.0.0 and prior to version 14.3.0. The issue allows low-privilege users to access the webhook API and retrieve information that should be restricted to users
- CVE-2024-43377Aug 20, 2024affected >= 14.0.0, < 14.1.2fixed 14.1.2
Umbraco CMS is an ASP.NET CMS. An authenticated user can access a few unintended endpoints. This issue is fixed in 14.1.2.
- CVE-2023-49279Dec 12, 2023affected >= 7.0.0, < 7.15.11fixed 7.15.11
Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media
- CVE-2023-49278Dec 12, 2023affected >= 8.0.0, < 8.18.10fixed 8.18.10
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a brute force exploit can be used to collect valid usernames. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.
- CVE-2023-49274Dec 12, 2023affected >= 8.0.0, < 8.18.10fixed 8.18.10
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a user enumeration attack is possible when SMTP is not set up correctly, but reset password is enabled. Versions 8.18.10, 10.8.1, and 12.3.4 contain
- CVE-2023-49273Dec 12, 2023affected >= 8.0.0, < 8.18.10fixed 8.18.10
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges (Editor, etc.) are able to access some unintended endpoints. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this
Page 1 of 2