cbcvebase.

Umbraco Umbraco-Cms vulnerabilities

34 known vulnerabilities affecting umbraco/umbraco-cms.

Total CVEs
34
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH3MEDIUM29LOW1

Vulnerabilities

Page 2 of 2
CVE-2025-46736P4MEDIUMCVSS 5.3v>= 11.0.0-rc1, < 13.8.1fixed in 10.8.102025-05-06
CVE-2025-46736 [MEDIUM] CWE-204 CVE-2025-46736: Umbraco is a free and open source .NET content management system. Prior to versions 10.8.10 and 13.8 Umbraco is a free and open source .NET content management system. Prior to versions 10.8.10 and 13.8.1, based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists. The issue is patched in versions 10.8.10 and 13.8.1. No known workarounds are available.
nvd
CVE-2024-48927P4MEDIUMCVSS 4.6v>= 13.0.0, < 13.5.2v>= 10.0.0, < 10.8.7+1 more2024-10-22
CVE-2024-48927 [MEDIUM] CWE-74 CVE-2024-48927: Umbraco, a free and open source .NET content management system, has a remote code execution issue in Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. There is a potential risk of code execution for Backoffice users when they “preview” SVG files in full screen mode. Versions 13.5.2, 10.8,7, and 8.18.15 conta
nvd
CVE-2023-38694P4MEDIUMCVSS 5.4v>= 8.0.0, < 8.18.10v>= 9.0.0-rc001, < 10.7.0+1 more2023-12-12
CVE-2023-38694 [MEDIUM] CWE-79 CVE-2023-38694: Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versio Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0, and 12.1.0 contain a patch for this issue.
nvd
CVE-2024-43376P4MEDIUMCVSS 5.3v>= 14.0.0, < 14.1.22024-08-20
CVE-2024-43376 [MEDIUM] CWE-209 CVE-2024-43376: Umbraco is an ASP.NET CMS. Some endpoints in the Management API can return stack trace information, Umbraco is an ASP.NET CMS. Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode. This vulnerability is fixed in 14.1.2.
nvd
CVE-2025-24012P4MEDIUMCVSS 5.4v>= 14.0.0, < 14.3.2v>= 15.0.0, < 15.1.22025-01-21
CVE-2025-24012 [MEDIUM] CWE-79 CVE-2025-24012: Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and pri Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, authenticated users are able to exploit a cross-site scripting vulnerability when viewing certain localized backoffice components. Versions 14.3.2 and 15.1.2 contain a patch.
nvd
CVE-2024-29035P4MEDIUMCVSS 5.3v>= 13.0.0 , <13.1.12024-04-17
CVE-2024-29035 [MEDIUM] CWE-918 CVE-2024-29035: Umbraco is an ASP.NET CMS. Failing webhooks logs are available when solution is not in debug mode. T Umbraco is an ASP.NET CMS. Failing webhooks logs are available when solution is not in debug mode. Those logs can contain information that is critical. This vulnerability is fixed in 13.1.1.
nvd
CVE-2023-48313P4MEDIUMCVSS 6.1v>= 10.0.0, < 10.8.1v>= 11.0.0-rc1, < 12.3.42023-12-12
CVE-2023-48313 [MEDIUM] CWE-79 CVE-2023-48313: Umbraco is an ASP.NET content management system (CMS). Starting in 10.0.0 and prior to versions 10. Umbraco is an ASP.NET content management system (CMS). Starting in 10.0.0 and prior to versions 10.8.1 and 12.3.4, Umbraco contains a cross-site scripting (XSS) vulnerability enabling attackers to bring malicious content into a website or application. Versions 10.8.1 and 12.3.4 contain a patch for this issue.
nvd
CVE-2025-27601P4MEDIUMCVSS 4.3v>= 15.0.0-rc1, < 15.2.3fixed in 14.3.32025-03-11
CVE-2025-27601 [MEDIUM] CWE-285 CVE-2025-27601: Umbraco is a free and open source .NET content management system. An improper API access control iss Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco's API management package prior to versions 15.2.3 and 14.3.3, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section.
nvd
CVE-2026-46609P4MEDIUMCVSS 4.6v>= 14.0.0, < 17.4.02026-06-10
CVE-2026-46609 [MEDIUM] CWE-79 CVE-2026-46609: Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are abl Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding. This issue has been patched in version 17.4.0.
nvd
CVE-2023-48227P4MEDIUMCVSS 4.3v>= 8.0.0, < 8.18.10v>= 9.0.0-rc001, < 10.7.0+1 more2023-12-12
CVE-2023-48227 [MEDIUM] CWE-863 CVE-2023-48227: Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versio Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are availab
nvd
CVE-2024-35218P4MEDIUMCVSS 4.8v>= 8.0.0, < 8.18.13v>= 10.0.0, < 10.8.4+2 more2024-05-21
CVE-2024-35218 [MEDIUM] CWE-79 CVE-2024-35218: Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stored Cross-site scripting (XSS) Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stored Cross-site scripting (XSS) enable attackers that have access to backoffice to bring malicious content into a website or application. This vulnerability has been patched in version(s) 8.18.13, 10.8.4, 12.3.7, 13.1.1 by implementing IHtmlSanitizer.
nvd
CVE-2024-43377P4MEDIUMCVSS 4.3v>= 14.0.0, < 14.1.22024-08-20
CVE-2024-43377 [MEDIUM] CWE-284 CVE-2024-43377: Umbraco CMS is an ASP.NET CMS. An authenticated user can access a few unintended endpoints. This iss Umbraco CMS is an ASP.NET CMS. An authenticated user can access a few unintended endpoints. This issue is fixed in 14.1.2.
nvd
CVE-2024-48929P4MEDIUMCVSS 4.2v>= 13.0.0, < 13.5.2v>= 10.0.0, < 10.8.72024-10-22
CVE-2024-48929 [MEDIUM] CWE-384 CVE-2024-48929: Umbraco is a free and open source .NET content management system. In versions on the 13.x branch pri Umbraco is a free and open source .NET content management system. In versions on the 13.x branch prior to 13.5.2 and versions on the 10.x branch prior to 10.8.7, during an explicit sign-out, the server session is not fully terminated. Versions 13.5.2 and 10.8.7 contain a patch for the issue.
nvd
CVE-2024-48926P4LOWCVSS 3.1v>= 13.0.0, < 13.5.2v>= 10.0.0, < 10.8.7+1 more2024-10-22
CVE-2024-48926 [LOW] CWE-613 CVE-2024-48926: Umbraco, a free and open source .NET content management system, has an insufficient session expirati Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The Backoffice displays the logout page with a session timeout message before the server session has fully expired, causing users to believe they hav
nvd