Umbraco Umbraco_cms

57 CVEs affecting Umbraco Umbraco_cms. Latest disclosed: 2026-06-10. Critical: 4, High: 7.

Top CVEs affecting Umbraco Umbraco_cms
CVESeverityScorePublishedSummary
CVE-2025-67288Critical10.02025-12-22An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is dispute…
CVE-2012-10054Critical9.82025-08-13Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx SOAP endpoint, which exposes a SaveDLRS…
CVE-2014-10074Critical9.82018-08-27Umbraco before 7.2.0 has a remote PHP code execution vulnerability because Umbraco.Web.UI/config/umbracoSettings.Release.config does not block the upload of .p…
CVE-2012-1301Critical9.82017-04-13The FeedProxy.aspx script in Umbraco 4.7.0 allows remote attackers to proxy requests on their behalf via the "url" parameter.
CVE-2025-32017High8.82025-04-08Umbraco is a free and open source .NET content management system. Authenticated users to the Umbraco backoffice are able to craft management API request that e…
CVE-2020-9471High8.82020-03-16Umbraco Cloud 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Packages functionality.
CVE-2022-22690High8.62022-01-18Within the Umbraco CMS, a configuration element named "UmbracoApplicationUrl" (or just "ApplicationUrl") is used whenever application code needs to build a URL…
CVE-2023-49089High7.72023-12-12Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0, Backoffice users with permi…
CVE-2023-37267High7.52023-07-13Umbraco is a ASP.NET CMS. Under rare conditions a restart of Umbraco can allow unauthorized users access to admin-level permissions. This vulnerability was pat…
CVE-2026-31834High7.22026-03-10Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain cond…
CVE-2019-25137High7.22023-05-18Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/…
CVE-2022-22691Medium6.82022-01-18The password reset component deployed within Umbraco uses the hostname supplied within the request host header when building a password reset URL. It may be po…
CVE-2026-31833Medium6.72026-03-10Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into pro…
CVE-2024-55488Medium6.52025-01-22A stored cross-site scripting (XSS) vulnerability in Umbraco CMS v14.3.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. NOTE…
CVE-2020-5811Medium6.52020-12-30An authenticated path traversal vulnerability exists during package installation in Umbraco CMS <= 8.9.1 or current, which could result in arbitrary files bein…
CVE-2020-9472Medium6.52020-03-16Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package functionality.
CVE-2024-34071Medium6.12024-05-21Umbraco is an ASP.NET CMS used by more than 730.000 websites. Umbraco has an endpoint that is vulnerable to open redirects. The endpoint is protected so it req…
CVE-2021-34254Medium6.12021-06-28Umbraco CMS before 7.15.7 is vulnerable to Open Redirection due to insufficient url sanitization on booting.aspx.
CVE-2025-48953Medium5.52025-06-03Umbraco is an ASP.NET content management system (CMS). Starting in version 14.0.0 and prior to versions 15.4.2 and 16.0.0, it's possible to upload a file that…
CVE-2017-15280Medium5.52017-10-12XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending…