What is CVE-2026-31833?

CVE-2026-31833 is a medium-severity vulnerability in Umbraco Umbraco-cms, classified under Cross-site Scripting. CVSS score: 6.7/10. Published 2026-03-10.

How severe is CVE-2026-31833?

Medium severity. CVSS v3 base score is 6.7 out of 10.

XSS in Umbraco Umbraco-cms

CVE-2026-31833

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configur…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (20.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.7 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L.

Affected products

Umbraco Umbraco-cms — versions >= 16.2.0, < 16.5.1, >= 17.0.0, < 17.2.1

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-vrqc-59mw-qqg7 (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-31833?: CVE-2026-31833 is a medium-severity vulnerability in Umbraco Umbraco-cms, classified under Cross-site Scripting. CVSS score: 6.7/10. Published 2026-03-10.
How severe is CVE-2026-31833?: Medium severity. CVSS v3 base score is 6.7 out of 10.