CVE-2026-46616
published 2026-06-10CVE-2026-46616: Umbraco is an ASP.NET CMS. Prior to versions 13.14.0 and 17.4.0, some of the Surface Controllers in the CMS provide to support member related operations fail…
PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.18%
7.7th percentile
Umbraco is an ASP.NET CMS. Prior to versions 13.14.0 and 17.4.0, some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks. This issue has been patched in versions 13.14.0 and 17.4.0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| umbraco | umbraco-cms | < 13.14.0 | 13.14.0 |
| umbraco | umbraco-cms | — | — |
| umbraco | umbraco_cms | < 13.14.0 | 13.14.0 |
| umbraco | umbraco_cms | >= 14.0.0 < 17.4.0 | 17.4.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Umbraco CMS up to 13.13.x/17.3.x Query Parameter RedirectUrl redirect
vuldb·2026-06-10·CVSS 5.4
CVE-2026-46616 [MEDIUM] Umbraco CMS up to 13.13.x/17.3.x Query Parameter RedirectUrl redirect
A vulnerability marked as problematic has been reported in Umbraco CMS up to 13.13.x/17.3.x. This affects an unknown function of the component Query Parameter Handler. This manipulation of the argument RedirectUrl causes open redirect.
This vulnerability appears as CVE-2026-46616. The attack may be initiated remotely. There is no available exploit.
It is suggested to upgrade the affected component.
GHSA
Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers
ghsa·2026-05-21
CVE-2026-46616 [MEDIUM] CWE-601 Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers
Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers
### Impact
Some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks.
### Patches
The issue is resolved in versions 17.4.0 and 13.14.0.
### Workarounds
If users cannot upgrade immediately, they can mitigate the issue in their own site by ensuring every Razor form that posts to `UmbLoginStatusController`, `UmbProfileController` or `UmbRegisterController` passes a concrete, trusted `RedirectUrl` into `Html.BeginUmbracoForm's` route values.
For example:
```cshtml
@using (Html.BeginUmbracoForm(
"HandleLogout",
new { RedirectUrl = Model.Url
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-10
Published