Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Umbraco — Vulnerabilities & Security Advisories 47

Browse all 47 CVE security advisories affecting Umbraco. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Umbraco is an open-source .NET content management system designed for building and managing digital experiences. Its architecture relies heavily on ASP.NET, making it a frequent target for web application attacks. Historically, the platform has been vulnerable to critical flaws, including Remote Code Execution (RCE) and Cross-Site Scripting (XSS), often stemming from insufficient input validation or insecure default configurations. Privilege escalation vulnerabilities have also been documented, allowing attackers to gain administrative access through manipulated requests. While the core framework is robust, many security incidents involve third-party packages or custom implementations that fail to adhere to secure coding standards. Recent advisories highlight the importance of keeping the CMS and its extensions updated to mitigate known risks. The high number of recorded CVEs underscores the necessity for rigorous patch management and security auditing in Umbraco deployments to prevent exploitation of these persistent weaknesses.

Found 33 results / 47Clear Filters
Top products by Umbraco: Umbraco-CMS Umbraco.Forms.Issues Umbraco CMS CMS UmbracoIdentityExtensions Umbraco.Workflow.Issues Umbraco.Commerce.Issues Umbraco Forms Umbraco.Engage.Forms
CVE IDTitleCVSSSeverityPublished
CVE-2026-31834 Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks — Umbraco-CMSCWE-269 7.2 High2026-03-10
CVE-2026-31833 Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering — Umbraco-CMSCWE-79 6.7 Medium2026-03-10
CVE-2026-31832 Umbraco Backoffice API Allows Unauthorized Modification of Domain Data — Umbraco-CMSCWE-639 5.4 Medium2026-03-10
CVE-2025-66625 Umbraco Vulnerable to Improper File Access and Credential Exposure through Dictionary Import Functionality — Umbraco-CMSCWE-200 4.9 Medium2025-12-09
CVE-2025-54425 Umbraco's Delivery API allows for cached requests to be returned with an invalid API key — Umbraco-CMSCWE-200 5.3 Medium2025-07-30
CVE-2025-49147 Umbraco.Cms Vulnerable to Disclosure of Configured Password Requirements — Umbraco-CMSCWE-497 5.3 Medium2025-06-24
CVE-2025-48953 Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads — Umbraco-CMSCWE-434 5.5 Medium2025-06-03
CVE-2025-46736 Umbraco Makes User Enumeration Feasible Based on Timing of Login Response — Umbraco-CMSCWE-204 5.3 Medium2025-05-06
CVE-2025-32017 Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users — Umbraco-CMSCWE-23 8.8 High2025-04-08
CVE-2025-27602 Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content — Umbraco-CMSCWE-285 4.9 Medium2025-03-11
CVE-2025-27601 Umbraco Allows Improper API Access Control to Low-Privilege Users to Data Type Functionality — Umbraco-CMSCWE-285 4.3 Medium2025-03-11
CVE-2025-24012 Umbraco Backoffice Components Have XSS/HTML Injection Vulnerability — Umbraco-CMSCWE-79 4.6 Medium2025-01-21
CVE-2025-24011 Umbraco CMS Vulnerable to User Enumeration Feasible Based On Management API Timing and Response Codes — Umbraco-CMSCWE-200 5.3 Medium2025-01-21
CVE-2024-48929 Umbraco CMS Has Incomplete Server Termination During Explicit Sign-Out — Umbraco-CMSCWE-384 4.2 Medium2024-10-22
CVE-2024-48927 Potential Code Execution Risk When Viewing SVG Files in Full Screen in Backoffice — Umbraco-CMSCWE-74 4.6 Medium2024-10-22
CVE-2024-48926 Umbraco CMS logout page displayed before session expiration — Umbraco-CMSCWE-613 4.2 Medium2024-10-22
CVE-2024-48925 Umbraco CMS Improper Access Control Vulnerability Allows Low-Privilege Users to Access Webhook API — Umbraco-CMSCWE-284--2024-10-22
CVE-2024-47819 Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section — Umbraco-CMSCWE-79 4.2 Medium2024-10-22
CVE-2024-43377 Umbraco CMS Improper Access Control vulnerability — Umbraco-CMSCWE-284 5.4 Medium2024-08-20
CVE-2024-43376 Umbraco CMS vulnerable to Generation of Error Message Containing Sensitive Information — Umbraco-CMSCWE-209 4.3 Medium2024-08-20
CVE-2024-35218 Umbraco CMS Vulnerable to Stored XSS on Content Page Through Markdown Editor Preview Pane — Umbraco-CMSCWE-79 4.2 Medium2024-05-21
CVE-2024-34071 Open Redirect Bypass Protection — Umbraco-CMSCWE-601 6.1 Medium2024-05-21
CVE-2024-29035 Umbraco's Blind SSRF Leads to Port Scan by using Webhooks — Umbraco-CMSCWE-918 4.1 Medium2024-04-17
CVE-2024-28868 Umbraco possible user enumeration vulnerability — Umbraco-CMSCWE-204 3.7 Low2024-03-20
CVE-2023-49279 Umbraco CMS vulnerable to stored XSS via SVG File Upload — Umbraco-CMSCWE-79 3.7 Low2023-12-12
CVE-2023-49278 Umbraco CMS brute force exploit can be used to collect valid usernames — Umbraco-CMSCWE-200 5.3 Medium2023-12-12
CVE-2023-49274 Umbraco CMS SMTP misconfiguration exposes potential registered user email — Umbraco-CMSCWE-200 3.7 Low2023-12-12
CVE-2023-49273 Umbraco CMS vulnerable to Privilege Escalation using Spoofing — Umbraco-CMSCWE-863 5.4 Medium2023-12-12
CVE-2023-49089 Umbraco CMS possible path traversal when creating packages from backoffice — Umbraco-CMSCWE-22 7.7 High2023-12-12
CVE-2023-48313 Umbraco contains a DOM-XSS — Umbraco-CMSCWE-79 4.3 Medium2023-12-12

This page lists every published CVE security advisory associated with Umbraco. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.