cbcvebase.
CVE-2026-46609
published 2026-06-10

CVE-2026-46609: Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in…

PriorityP422medium4.6CVSS 3.1
AVNACLPRLUIRSUCLILAN
EPSS
0.14%
3.4th percentile
Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding. This issue has been patched in version 17.4.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
umbracoumbraco-cms
umbracoumbraco_cms>= 14.0.0 < 17.4.017.4.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.