cbcvebase.

Umbraco Cms vulnerabilities

57 known vulnerabilities affecting umbraco/umbraco_cms.

Total CVEs
57
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH8MEDIUM43LOW1

Vulnerabilities

Page 3 of 3
CVE-2017-15280P4MEDIUMCVSS 5.5≤ 7.7.22017-10-12
CVE-2017-15280 [MEDIUM] CWE-611 CVE-2017-15280: XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensi XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs.
nvd
CVE-2025-24012P4MEDIUMCVSS 5.4≥ 14.0.0, < 14.3.2≥ 15.0.0, < 15.1.22025-01-21
CVE-2025-24012 [MEDIUM] CWE-79 CVE-2025-24012: Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and pri Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, authenticated users are able to exploit a cross-site scripting vulnerability when viewing certain localized backoffice components. Versions 14.3.2 and 15.1.2 contain a patch.
nvd
CVE-2024-29035P4MEDIUMCVSS 5.3≥ 13.0.0, < 13.1.12024-04-17
CVE-2024-29035 [MEDIUM] CWE-918 CVE-2024-29035: Umbraco is an ASP.NET CMS. Failing webhooks logs are available when solution is not in debug mode. T Umbraco is an ASP.NET CMS. Failing webhooks logs are available when solution is not in debug mode. Those logs can contain information that is critical. This vulnerability is fixed in 13.1.1.
nvd
CVE-2021-34254P4MEDIUMCVSS 6.1fixed in 7.15.72021-06-28
CVE-2021-34254 [MEDIUM] CWE-601 CVE-2021-34254: Umbraco CMS before 7.15.7 is vulnerable to Open Redirection due to insufficient url sanitization on Umbraco CMS before 7.15.7 is vulnerable to Open Redirection due to insufficient url sanitization on booting.aspx.
nvd
CVE-2020-5809P4MEDIUMCVSS 5.4≤ 8.9.12020-12-30
CVE-2020-5809 [MEDIUM] CWE-79 CVE-2020-5809: A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user can inje A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user can inject arbitrary JavaScript code into iframes when editing content using the TinyMCE rich-text editor, as TinyMCE is configured to allow iframes by default in Umbraco CMS.
nvd
CVE-2023-48313P4MEDIUMCVSS 6.1≥ 10.0.0, < 10.8.1≥ 12.0.0, < 12.3.42023-12-12
CVE-2023-48313 [MEDIUM] CWE-79 CVE-2023-48313: Umbraco is an ASP.NET content management system (CMS). Starting in 10.0.0 and prior to versions 10. Umbraco is an ASP.NET content management system (CMS). Starting in 10.0.0 and prior to versions 10.8.1 and 12.3.4, Umbraco contains a cross-site scripting (XSS) vulnerability enabling attackers to bring malicious content into a website or application. Versions 10.8.1 and 12.3.4 contain a patch for this issue.
nvd
CVE-2025-27601P4MEDIUMCVSS 4.3fixed in 14.3.3≥ 15.0.0, < 15.2.32025-03-11
CVE-2025-27601 [MEDIUM] CWE-285 CVE-2025-27601: Umbraco is a free and open source .NET content management system. An improper API access control iss Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco's API management package prior to versions 15.2.3 and 14.3.3, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section.
nvd
CVE-2017-15279P4MEDIUMCVSS 5.4≤ 7.7.22017-10-12
CVE-2017-15279 [MEDIUM] CWE-79 CVE-2017-15279: Cross-site scripting (XSS) vulnerability in Umbraco CMS before 7.7.3 allows remote attackers to inje Cross-site scripting (XSS) vulnerability in Umbraco CMS before 7.7.3 allows remote attackers to inject arbitrary web script or HTML via the "page name" (aka nodename) parameter during the creation of a new page, related to Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs and Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs.
nvd
CVE-2020-29454P4MEDIUMCVSS 4.3≥ 8.0.0, ≤ 8.9.12020-12-02
CVE-2020-29454 [MEDIUM] CWE-863 CVE-2020-29454: Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
nvd
CVE-2026-46609P4MEDIUMCVSS 4.6≥ 14.0.0, < 17.4.02026-06-10
CVE-2026-46609 [MEDIUM] CWE-79 CVE-2026-46609: Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are abl Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding. This issue has been patched in version 17.4.0.
nvd
CVE-2023-48227P4MEDIUMCVSS 4.3≥ 8.0.0, < 8.18.10≥ 9.0.0, < 10.7.0+1 more2023-12-12
CVE-2023-48227 [MEDIUM] CWE-863 CVE-2023-48227: Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versio Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are availab
nvd
CVE-2024-35218P4MEDIUMCVSS 4.8≥ 8.0.0, < 8.18.13≥ 10.0.0, < 10.8.4+2 more2024-05-21
CVE-2024-35218 [MEDIUM] CWE-79 CVE-2024-35218: Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stored Cross-site scripting (XSS) Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stored Cross-site scripting (XSS) enable attackers that have access to backoffice to bring malicious content into a website or application. This vulnerability has been patched in version(s) 8.18.13, 10.8.4, 12.3.7, 13.1.1 by implementing IHtmlSanitizer.
nvd
CVE-2024-43377P4MEDIUMCVSS 4.3≥ 14.0.0, < 14.1.22024-08-20
CVE-2024-43377 [MEDIUM] CWE-284 CVE-2024-43377: Umbraco CMS is an ASP.NET CMS. An authenticated user can access a few unintended endpoints. This iss Umbraco CMS is an ASP.NET CMS. An authenticated user can access a few unintended endpoints. This issue is fixed in 14.1.2.
nvd
CVE-2024-48929P4MEDIUMCVSS 4.2≥ 10.0, < 10.8.7≥ 13.0, < 13.5.22024-10-22
CVE-2024-48929 [MEDIUM] CWE-384 CVE-2024-48929: Umbraco is a free and open source .NET content management system. In versions on the 13.x branch pri Umbraco is a free and open source .NET content management system. In versions on the 13.x branch prior to 13.5.2 and versions on the 10.x branch prior to 10.8.7, during an explicit sign-out, the server session is not fully terminated. Versions 13.5.2 and 10.8.7 contain a patch for the issue.
nvd
CVE-2018-17256P4MEDIUMCVSS 4.8v7.12.32018-11-27
CVE-2018-17256 [MEDIUM] CWE-79 CVE-2018-17256: Persistent cross-site scripting (XSS) vulnerability in Umbraco CMS 7.12.3 allows authenticated users Persistent cross-site scripting (XSS) vulnerability in Umbraco CMS 7.12.3 allows authenticated users to inject arbitrary web script via the Header Name of a content (Blog, Content Page, etc.). The vulnerability is exploited when updating or removing public access of a content.
nvd
CVE-2020-7210P4MEDIUMCVSS 4.3v8.2.22020-01-23
CVE-2020-7210 [MEDIUM] CWE-352 CVE-2020-7210: Umbraco CMS 8.2.2 allows CSRF to enable/disable or delete user accounts. Umbraco CMS 8.2.2 allows CSRF to enable/disable or delete user accounts.
nvd
CVE-2024-48926P4LOWCVSS 3.1≥ 8.0, < 8.18.15≥ 10.0, < 10.8.7+1 more2024-10-22
CVE-2024-48926 [LOW] CWE-613 CVE-2024-48926: Umbraco, a free and open source .NET content management system, has an insufficient session expirati Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The Backoffice displays the logout page with a session timeout message before the server session has fully expired, causing users to believe they hav
nvd
Umbraco Cms vulnerabilities | cvebase