CVE-2025-48953
published 2025-06-03CVE-2025-48953: Umbraco is an ASP.NET content management system (CMS). Starting in version 14.0.0 and prior to versions 15.4.2 and 16.0.0, it's possible to upload a file that…
PriorityP335medium6.5CVSS 3.1
AVNACLPRLUIRSCCLILAL
EPSS
0.16%
5.4th percentile
Umbraco is an ASP.NET content management system (CMS). Starting in version 14.0.0 and prior to versions 15.4.2 and 16.0.0, it's possible to upload a file that doesn't adhere with the configured allowable file extensions via a manipulated API request. The issue is patched in versions 15.4.2 and 16.0.0. No known workarounds are available.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| umbraco | umbraco-cms | — | — |
| umbraco | umbraco_cms | >= 14.0.0 < 15.4.2 | 15.4.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads
osv·2025-06-04
CVE-2025-48953 [MEDIUM] Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads
Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads
### Impact
Via a manipulated API request it's possible to upload a file that doesn't adhere with the configured allowable file extensions.
### Patches
Patched in 15.4.2 and 16.0.0.
### Workarounds
None available.
GHSA
Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads
ghsa·2025-06-04
CVE-2025-48953 [MEDIUM] CWE-434 Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads
Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads
### Impact
Via a manipulated API request it's possible to upload a file that doesn't adhere with the configured allowable file extensions.
### Patches
Patched in 15.4.2 and 16.0.0.
### Workarounds
None available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-03
Published