VYPR
Vendor

Umbraco

Products
6
CVEs
56
Across products
56
Status
Private

Products

6

Recent CVEs

56
View all 56 CVEs →
  • CVE-2012-1301CriApr 13, 2017
    risk 0.64cvss 9.8epss 0.03

    The FeedProxy.aspx script in Umbraco 4.7.0 allows remote attackers to proxy requests on their behalf via the "url" parameter.

  • CVE-2014-10074CriAug 27, 2018
    risk 0.57cvss 9.8epss 0.03

    Umbraco before 7.2.0 has a remote PHP code execution vulnerability because Umbraco.Web.UI/config/umbracoSettings.Release.config does not block the upload of .php files.

  • CVE-2015-8814HigMar 3, 2017
    risk 0.50cvss 8.8epss 0.01

    Umbraco before 7.4.0 allows remote attackers to bypass anti-forgery security measures and conduct cross-site request forgery (CSRF) attacks as demonstrated by editing user account information in the templates.asmx.cs file.

  • CVE-2015-8813HigMar 3, 2017
    risk 0.47cvss 8.2epss 0.12

    The Page_Load function in Umbraco.Web/umbraco.presentation/umbraco/dashboard/FeedProxy.aspx.cs in Umbraco before 7.4.0 allows remote attackers to conduct server-side request forgery (SSRF) attacks via the url parameter.

  • CVE-2015-8815MedMar 3, 2017
    risk 0.40cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Umbraco before 7.4.0 allow remote attackers to inject arbitrary web script or HTML via the name parameter to (1) the media page, (2) the developer data edit page, or (3) the form page.

  • CVE-2024-35240MedMay 28, 2024
    risk 0.35cvss 5.4epss 0.00

    Umbraco Commerce is an open source dotnet ecommerce solution. In affected versions there exists a stored Cross-site scripting (XSS) issue which would enable attackers to inject malicious code into Print Functionality. This issue has been addressed in versions 12.1.4, and 10.0.5.…

  • CVE-2026-46609MedJun 10, 2026
    risk 0.30cvss 4.6epss 0.00

    Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding. This issue has been patched in version 17.4.0.

  • CVE-2017-15280MedOct 12, 2017
    risk 0.29cvss 5.5epss 0.01

    XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype…

  • CVE-2026-46616MedJun 10, 2026
    risk 0.28cvss 5.4epss 0.00

    Umbraco is an ASP.NET CMS. Prior to versions 13.14.0 and 17.4.0, some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters…

  • CVE-2017-15279MedOct 12, 2017
    risk 0.28cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in Umbraco CMS before 7.7.3 allows remote attackers to inject arbitrary web script or HTML via the "page name" (aka nodename) parameter during the creation of a new page, related to Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs and…

  • CVE-2012-10054Aug 13, 2025
    risk 0.10cvss epss 0.03

    Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx SOAP endpoint, which exposes a SaveDLRScript operation that permits arbitrary file uploads without authentication. By exploiting a path traversal flaw in the…

  • CVE-2019-25137May 18, 2023
    risk 0.04cvss epss 0.04

    Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx.

  • CVE-2026-31834Mar 10, 2026
    risk 0.00cvss epss 0.00

    Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to…

  • CVE-2026-31833Mar 10, 2026
    risk 0.00cvss epss 0.00

    Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration (/.+/) in the UFM DOMPurify…

  • CVE-2026-31832Mar 10, 2026
    risk 0.00cvss epss 0.00

    Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue…

  • CVE-2021-47776Jan 15, 2026
    risk 0.00cvss epss 0.00

    Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent,…

  • CVE-2025-67288Dec 22, 2025
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system…

  • CVE-2025-66625Dec 9, 2025
    risk 0.00cvss epss 0.00

    Umbraco is an ASP.NET CMS. Due to unsafe handling and deletion of temporary files in versions 10.0.0 through 13.12.0, during the dictionary upload process an attacker with access to the backoffice can trigger predictable requests to temporary file paths. The application’s…

  • CVE-2025-54425Jul 30, 2025
    risk 0.00cvss epss 0.00

    Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can be restricted from public access where an API key must be provided in a header to authorize the request. It's also possible to configure…

  • CVE-2025-49147Jun 24, 2025
    risk 0.00cvss epss 0.00

    Umbraco, a free and open source .NET content management system, has a vulnerability in versions 10.0.0 through 10.8.10 and 13.0.0 through 13.9.1. Via a request to an anonymously authenticated endpoint it's possible to retrieve information about the configured password…