Umbraco.cms

This hub aggregates every CVE we track for Umbraco.cms, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Umbraco.cms.

• CVE-2026-31832Umbraco Backoffice API Allows Unauthorized Modification of Domain Data5.4Mar 10, 2026
• CVE-2021-47776Umbraco v8.14.1 - 'baseUrl' SSRF5.3Jan 15, 2026
• CVE-2025-67288An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsi...10.0Dec 22, 2025
• CVE-2025-66625Umbraco Vulnerable to Improper File Access and Credential Exposure through Dictionary Import Functionality4.9Dec 9, 2025
• CVE-2025-49147Umbraco.Cms Vulnerable to Disclosure of Configured Password Requirements5.3Jun 24, 2025
• CVE-2025-48953Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads5.5Jun 3, 2025
• CVE-2025-46736Umbraco Makes User Enumeration Feasible Based on Timing of Login Response5.3May 6, 2025
• CVE-2025-32017Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users8.8Apr 8, 2025
• CVE-2025-24011Umbraco CMS Vulnerable to User Enumeration Feasible Based On Management API Timing and Response Codes5.3Jan 21, 2025
• CVE-2024-10761Umbraco CMS Dashboard frame cross site scripting4.3Nov 4, 2024
• CVE-2024-48929Umbraco CMS Has Incomplete Server Termination During Explicit Sign-Out4.2Oct 22, 2024
• CVE-2024-48927Potential Code Execution Risk When Viewing SVG Files in Full Screen in Backoffice4.6Oct 22, 2024
• CVE-2024-48926Umbraco CMS logout page displayed before session expiration4.2Oct 22, 2024
• CVE-2024-43377Umbraco CMS Improper Access Control vulnerability5.4Aug 20, 2024
• CVE-2024-28868Umbraco possible user enumeration vulnerability3.7Mar 20, 2024