CVE-2026-46609
published 2026-06-10CVE-2026-46609: Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in…
PriorityP422medium4.6CVSS 3.1
AVNACLPRLUIRSUCLILAN
EPSS
0.14%
3.4th percentile
Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding. This issue has been patched in version 17.4.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| umbraco | umbraco-cms | — | — |
| umbraco | umbraco_cms | >= 14.0.0 < 17.4.0 | 17.4.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Umbraco CMS up to 17.3.x cross site scripting
vuldb·2026-06-10·CVSS 4.6
CVE-2026-46609 [MEDIUM] Umbraco CMS up to 17.3.x cross site scripting
A vulnerability described as problematic has been identified in Umbraco CMS up to 17.3.x. This impacts an unknown function. Such manipulation leads to cross site scripting.
This vulnerability is traded as CVE-2026-46609. The attack may be launched remotely. There is no exploit available.
Upgrading the affected component is recommended.
GHSA
Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog
ghsa·2026-05-21
CVE-2026-46609 [MEDIUM] CWE-79 Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog
Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog
### Impact
Authenticated users are able to inject HTML vulnerability into an input field, which is rendered in the confirmation dialog without proper output encoding.
### Patches
This issue has been patched in 17.4.0
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-10
Published