Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

umbraco — Vulnerabilities & Security Advisories 47

Browse all 47 CVE security advisories affecting umbraco. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Umbraco is an open-source .NET content management system designed for building and managing digital experiences. Its architecture relies heavily on ASP.NET, making it a frequent target for web application attacks. Historically, the platform has been vulnerable to critical flaws, including Remote Code Execution (RCE) and Cross-Site Scripting (XSS), often stemming from insufficient input validation or insecure default configurations. Privilege escalation vulnerabilities have also been documented, allowing attackers to gain administrative access through manipulated requests. While the core framework is robust, many security incidents involve third-party packages or custom implementations that fail to adhere to secure coding standards. Recent advisories highlight the importance of keeping the CMS and its extensions updated to mitigate known risks. The high number of recorded CVEs underscores the necessity for rigorous patch management and security auditing in Umbraco deployments to prevent exploitation of these persistent weaknesses.

Top products by umbraco: Umbraco-CMS Umbraco.Forms.Issues Umbraco CMS CMS UmbracoIdentityExtensions Umbraco.Workflow.Issues Umbraco.Commerce.Issues Umbraco Forms Umbraco.Engage.Forms
CVE IDTitleCVSSSeverityPublished
CVE-2026-31834 Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks — Umbraco-CMSCWE-269 7.2 High2026-03-10
CVE-2026-31833 Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering — Umbraco-CMSCWE-79 6.7 Medium2026-03-10
CVE-2026-31832 Umbraco Backoffice API Allows Unauthorized Modification of Domain Data — Umbraco-CMSCWE-639 5.4 Medium2026-03-10
CVE-2026-27449 Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints — Umbraco.Engage.FormsCWE-284 7.5 High2026-02-26
CVE-2026-24687 Umbraco.Forms has path traversal and file enumeration vulnerability in Linux/Mac — Umbraco.Forms.IssuesCWE-22 4.9AIMediumAI2026-01-29
CVE-2025-68924 Umbraco Forms 安全漏洞 — FormsCWE-829 7.5 High2026-01-16
CVE-2021-47776 Umbraco v8.14.1 - 'baseUrl' SSRF — UmbracoCWE-918 5.3 Medium2026-01-15
CVE-2025-66625 Umbraco Vulnerable to Improper File Access and Credential Exposure through Dictionary Import Functionality — Umbraco-CMSCWE-200 4.9 Medium2025-12-09
CVE-2012-10054 Umbraco CMS < 4.7.1 codeEditorSave.asmx RCE — CMSCWE-434 9.8AICriticalAI2025-08-13
CVE-2025-54425 Umbraco's Delivery API allows for cached requests to be returned with an invalid API key — Umbraco-CMSCWE-200 5.3 Medium2025-07-30
CVE-2025-49147 Umbraco.Cms Vulnerable to Disclosure of Configured Password Requirements — Umbraco-CMSCWE-497 5.3 Medium2025-06-24
CVE-2025-48953 Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads — Umbraco-CMSCWE-434 5.5 Medium2025-06-03
CVE-2025-47280 Umbraco.Forms has HTML injection vulnerability in 'Send email' workflow — Umbraco.Forms.IssuesCWE-116 4.7AIMediumAI2025-05-13
CVE-2025-46736 Umbraco Makes User Enumeration Feasible Based on Timing of Login Response — Umbraco-CMSCWE-204 5.3 Medium2025-05-06
CVE-2025-32017 Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users — Umbraco-CMSCWE-23 8.8 High2025-04-08
CVE-2025-27602 Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content — Umbraco-CMSCWE-285 4.9 Medium2025-03-11
CVE-2025-27601 Umbraco Allows Improper API Access Control to Low-Privilege Users to Data Type Functionality — Umbraco-CMSCWE-285 4.3 Medium2025-03-11
CVE-2025-24012 Umbraco Backoffice Components Have XSS/HTML Injection Vulnerability — Umbraco-CMSCWE-79 4.6 Medium2025-01-21
CVE-2025-24011 Umbraco CMS Vulnerable to User Enumeration Feasible Based On Management API Timing and Response Codes — Umbraco-CMSCWE-200 5.3 Medium2025-01-21
CVE-2025-23041 Short and Long Answer Fields Are Not Validated Server-Side For Maximum Length in Umbraco.Forms — Umbraco.Forms.IssuesCWE-20 5.8 Medium2025-01-14
CVE-2024-10761 Umbraco CMS Dashboard frame cross site scripting — CMSCWE-79 4.3 Medium2024-11-04
CVE-2024-48929 Umbraco CMS Has Incomplete Server Termination During Explicit Sign-Out — Umbraco-CMSCWE-384 4.2 Medium2024-10-22
CVE-2024-48927 Potential Code Execution Risk When Viewing SVG Files in Full Screen in Backoffice — Umbraco-CMSCWE-74 4.6 Medium2024-10-22
CVE-2024-48926 Umbraco CMS logout page displayed before session expiration — Umbraco-CMSCWE-613 4.2 Medium2024-10-22
CVE-2024-48925 Umbraco CMS Improper Access Control Vulnerability Allows Low-Privilege Users to Access Webhook API — Umbraco-CMSCWE-284--2024-10-22
CVE-2024-47819 Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section — Umbraco-CMSCWE-79 4.2 Medium2024-10-22
CVE-2024-43377 Umbraco CMS Improper Access Control vulnerability — Umbraco-CMSCWE-284 5.4 Medium2024-08-20
CVE-2024-43376 Umbraco CMS vulnerable to Generation of Error Message Containing Sensitive Information — Umbraco-CMSCWE-209 4.3 Medium2024-08-20
CVE-2024-35240 Stored Cross-site Scripting on Print Functionality in Umbraco Commerce — Umbraco.Commerce.IssuesCWE-79 5.4 Medium2024-05-28
CVE-2024-35239 Stored Cross-site Scripting on Components of Umbraco Forms — Umbraco.Forms.IssuesCWE-79 2.7 Low2024-05-28

This page lists every published CVE security advisory associated with umbraco. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.