cbcvebase.
CVE-2025-67288
published 2025-12-22

CVE-2025-67288: An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is…

PriorityP358critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.50%
39.3th percentile
An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system administrator who is implementing Umbraco CMS in their environment, not to Umbraco CMS itself, a related issue to CVE-2023-49279.

Affected

1 ranges
VendorProductVersion rangeFixed in
umbracoumbraco_cms
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.