NuGet package
umbracocms
pkg:nuget/umbracocms
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-47776 | — | — | — | Jan 15, 2026 | Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent, and | ||
| CVE-2024-48927 | — | >= 8.0.0, < 8.18.15 | 8.18.15 | Oct 22, 2024 | Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. There is a potential risk of code execution for Backoffice users when they “preview” S | ||
| CVE-2024-48926 | — | >= 8.0.0, < 8.18.15 | 8.18.15 | Oct 22, 2024 | Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The Backoffice displays the logout page with a session timeout message befo | ||
| CVE-2024-28868 | — | >= 10.0.0, < 10.8.5 | 10.8.5 | Mar 20, 2024 | Umbraco is an ASP.NET content management system. Umbraco 10 prior to 10.8.4 with access to the native login screen is vulnerable to a possible user enumeration attack. This issue was fixed in version 10.8.5. As a workaround, one may disable the native login screen by exclusively | ||
| CVE-2020-5811 | — | < 8.9.2 | 8.9.2 | Dec 30, 2020 | An authenticated path traversal vulnerability exists during package installation in Umbraco CMS <= 8.9.1 or current, which could result in arbitrary files being written outside of the site home and expected paths when installing an Umbraco package. | ||
| CVE-2020-29454 | — | < 8.10.0 | 8.10.0 | Dec 2, 2020 | Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access. | ||
| CVE-2020-9472 | — | < 8.5.4 | 8.5.4 | Mar 16, 2020 | Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package functionality. |
- CVE-2021-47776Jan 15, 2026
Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent, and
- CVE-2024-48927Oct 22, 2024affected >= 8.0.0, < 8.18.15fixed 8.18.15
Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. There is a potential risk of code execution for Backoffice users when they “preview” S
- CVE-2024-48926Oct 22, 2024affected >= 8.0.0, < 8.18.15fixed 8.18.15
Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The Backoffice displays the logout page with a session timeout message befo
- CVE-2024-28868Mar 20, 2024affected >= 10.0.0, < 10.8.5fixed 10.8.5
Umbraco is an ASP.NET content management system. Umbraco 10 prior to 10.8.4 with access to the native login screen is vulnerable to a possible user enumeration attack. This issue was fixed in version 10.8.5. As a workaround, one may disable the native login screen by exclusively
- CVE-2020-5811Dec 30, 2020affected < 8.9.2fixed 8.9.2
An authenticated path traversal vulnerability exists during package installation in Umbraco CMS <= 8.9.1 or current, which could result in arbitrary files being written outside of the site home and expected paths when installing an Umbraco package.
- CVE-2020-29454Dec 2, 2020affected < 8.10.0fixed 8.10.0
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
- CVE-2020-9472Mar 16, 2020affected < 8.5.4fixed 8.5.4
Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package functionality.