Umbraco.CMS vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-46609MediumUmbraco.Cms: Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialogCVE-2026-46616MediumUmbraco.Cms: Umbraco.Cms: Open Redirect Vulnerability in Surface ControllersCVE-2026-31834HighUmbraco.Cms: Umbraco Affected by Vertical Privilege Escalation via Missing Authorization ChecksCVE-2026-31833MediumUmbraco.Cms: Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute FilteringCVE-2026-31832MediumUmbraco.Cms: Umbraco Backoffice API Allows Unauthorized Modification of Domain DataCVE-2025-67288MediumUmbraco.Cms: Umbraco CMS has an arbitrary file upload vulnerabilityCVE-2025-66625MediumUmbraco.Cms: Umbraco Vulnerable to Improper File Access and Credential Exposure in Dictionary Import FunctionalityCVE-2025-49147MediumUmbraco.Cms: Umbraco CMS disclosure of configured password requirements CVE-2025-48953MediumUmbraco.Cms: Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File UploadsCVE-2025-46736MediumUmbraco.Cms: Umbraco Makes User Enumeration Feasible Based on Timing of Login ResponseCVE-2025-32017HighUmbraco.Cms: Umbraco has a Management API Vulnerability to Path Traversal With Authenticated UsersCVE-2024-10761MediumUmbraco.Cms: XSS/HTML Injection Vulnerability in Umbraco Preview BadgeCVE-2025-24011MediumUmbraco.Cms: Umbraco Allows User Enumeration Feasible Based On Management API Timing and Response Codes CVE-2024-48929MediumUmbraco.CMS: Umbraco CMS Has Incomplete Server Termination During Explicit Sign-OutCVE-2024-48927MediumUmbracoCms: Umbraco has a Potential Code Execution Risk When Viewing SVG Files in Full Screen in BackofficeCVE-2024-48926MediumUmbraco.CMS: Umbraco CMS logout page displayed before session expirationCVE-2024-48925LowUmbraco.CMS: Umbraco CMS Improper Access Control Vulnerability Allows Low-Privilege Users to Access Webhook APICVE-2024-43377MediumUmbraco.Cms: Umbraco CMS Improper Access Control vulnerabilityCVE-2023-49279LowUmbraco.CMS: Stored XSS via SVG File UploadCVE-2023-49278LowUmbraco.CMS: Brute force exploit can be used to collect valid usernamesCVE-2023-49274LowUmbraco.CMS: SMTP misconfiguration leading to "Forgot Password" exploit that leaks registered user email. CVE-2023-49273MediumUmbraco.CMS: Privilege Escalation using SpoofingCVE-2023-49089LowUmbraco.CMS: Using the directory back payload (“/../”) in a package name allows placement of package in other folders.CVE-2023-48313MediumUmbraco.CMS: DOM-XSS on Backoffice login screen.CVE-2023-48227LowUmbraco.CMS: Backoffice User can bypass "Publish" restriction

Stop the waste.
Protect your environment with Kodem.