Umbraco-cms

This hub aggregates every CVE we track for Umbraco-cms, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Umbraco-cms.

• CVE-2026-46609Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog4.6Jun 10, 2026
• CVE-2026-46616Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers5.4Jun 10, 2026
• CVE-2026-31834Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks7.2Mar 10, 2026
• CVE-2026-31833Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering6.7Mar 10, 2026
• CVE-2026-31832Umbraco Backoffice API Allows Unauthorized Modification of Domain Data5.4Mar 10, 2026
• CVE-2025-66625Umbraco Vulnerable to Improper File Access and Credential Exposure through Dictionary Import Functionality4.9Dec 9, 2025
• CVE-2025-54425Umbraco's Delivery API allows for cached requests to be returned with an invalid API key5.3Jul 30, 2025
• CVE-2025-49147Umbraco.Cms Vulnerable to Disclosure of Configured Password Requirements5.3Jun 24, 2025
• CVE-2025-48953Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads5.5Jun 3, 2025
• CVE-2025-46736Umbraco Makes User Enumeration Feasible Based on Timing of Login Response5.3May 6, 2025
• CVE-2025-32017Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users8.8Apr 8, 2025
• CVE-2025-27602Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content4.9Mar 11, 2025
• CVE-2025-27601Umbraco Allows Improper API Access Control to Low-Privilege Users to Data Type Functionality4.3Mar 11, 2025
• CVE-2025-24012Umbraco Backoffice Components Have XSS/HTML Injection Vulnerability4.6Jan 21, 2025
• CVE-2025-24011Umbraco CMS Vulnerable to User Enumeration Feasible Based On Management API Timing and Response Codes5.3Jan 21, 2025