CVE-2026-31833
published 2026-03-10CVE-2026-31833: Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into…
PriorityP339medium6.7CVSS 3.1
AVNACLPRHUINSUCHIHAL
EPSS
0.26%
17.3th percentile
Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration (/.+/) in the UFM DOMPurify instance, event handler attributes such as onclick and onload, when used within Umbraco web components (umb-*, uui-*, ufm-*) were not filtered. This vulnerability is fixed in 16.5.1 and 17.2.2.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| umbraco | umbraco-cms | — | — |
| umbraco | umbraco-cms | — | — |
| umbraco | umbraco_cms | >= 16.2.0 < 16.5.1 | 16.5.1 |
| umbraco | umbraco_cms | >= 17.0.0 < 17.2.2 | 17.2.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering
ghsa·2026-03-11
CVE-2026-31833 [MEDIUM] CWE-79 Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering
Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering
### Description
An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive `attributeNameCheck` configuration (/.+/) in the UFM DOMPurify instance, event handler attributes such as onclick and onload, when used within Umbraco web components (`umb-*`, `uui-*`, `ufm-*`) were not filtered.
### Impact
As property type descriptions support Markdown/HTML via the UFM rendering pipeline, injected event handlers are rendered in the backoffice interface, resulting in a stored XSS affecting other backoffice users.
### Patches
The issue is patched in 16.5.1 and 17.2.2.
### Workarounds
There is no workaround other than upg
OSV
Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering
osv·2026-03-11
CVE-2026-31833 [MEDIUM] Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering
Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering
### Description
An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive `attributeNameCheck` configuration (/.+/) in the UFM DOMPurify instance, event handler attributes such as onclick and onload, when used within Umbraco web components (`umb-*`, `uui-*`, `ufm-*`) were not filtered.
### Impact
As property type descriptions support Markdown/HTML via the UFM rendering pipeline, injected event handlers are rendered in the backoffice interface, resulting in a stored XSS affecting other backoffice users.
### Patches
The issue is patched in 16.5.1 and 17.2.2.
### Workarounds
There is no workaround other than upg
No detection rules found.
No public exploits indexed.
2026-03-10
Published