Umbraco cms

This hub aggregates every CVE we track for Umbraco cms, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Umbraco cms.

• CVE-2026-46609Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog4.6Jun 10, 2026
• CVE-2026-46616Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers5.4Jun 10, 2026
• CVE-2026-31834Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks7.2Mar 10, 2026
• CVE-2026-31833Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering6.7Mar 10, 2026
• CVE-2026-31832Umbraco Backoffice API Allows Unauthorized Modification of Domain Data5.4Mar 10, 2026
• CVE-2021-47776Umbraco v8.14.1 - 'baseUrl' SSRF5.3Jan 15, 2026
• CVE-2025-67288An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsi...10.0Dec 22, 2025
• CVE-2025-66625Umbraco Vulnerable to Improper File Access and Credential Exposure through Dictionary Import Functionality4.9Dec 9, 2025
• CVE-2012-10054Umbraco CMS < 4.7.1 codeEditorSave.asmx RCE9.8Aug 13, 2025
• CVE-2025-54425Umbraco's Delivery API allows for cached requests to be returned with an invalid API key5.3Jul 30, 2025
• CVE-2025-49147Umbraco.Cms Vulnerable to Disclosure of Configured Password Requirements5.3Jun 24, 2025
• CVE-2025-48953Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads5.5Jun 3, 2025
• CVE-2025-46736Umbraco Makes User Enumeration Feasible Based on Timing of Login Response5.3May 6, 2025
• CVE-2025-32017Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users8.8Apr 8, 2025
• CVE-2025-27602Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content4.9Mar 11, 2025