CVE-2025-67288
published 2025-12-22CVE-2025-67288: An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is…
PriorityP358critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.50%
39.3th percentile
An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system administrator who is implementing Umbraco CMS in their environment, not to Umbraco CMS itself, a related issue to CVE-2023-49279.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| umbraco | umbraco_cms | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Umbraco CMS has an arbitrary file upload vulnerability
osv·2025-12-22
CVE-2025-67288 [MEDIUM] Umbraco CMS has an arbitrary file upload vulnerability
Umbraco CMS has an arbitrary file upload vulnerability
An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file. While Umbraco provides [hooks to perform file validation](https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation), it does not do implement filtering by default. Users are expected to implement their own validation.
Note: This vulnerability is [disputed by Ubraco](https://github.com/github/advisory-database/pull/6633).
GHSA
Umbraco CMS has an arbitrary file upload vulnerability
ghsa·2025-12-22
CVE-2025-67288 [MEDIUM] CWE-434 Umbraco CMS has an arbitrary file upload vulnerability
Umbraco CMS has an arbitrary file upload vulnerability
An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file. While Umbraco provides [hooks to perform file validation](https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation), it does not do implement filtering by default. Users are expected to implement their own validation.
Note: This vulnerability is [disputed by Ubraco](https://github.com/github/advisory-database/pull/6633).
No detection rules found.
No public exploits indexed.
2025-12-22
Published