Product
umbraco cms
68 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-31834
CVE-2026-31833
CVE-2026-31832
CVE-2026-24687
CVE-2025-68924
CVE-2021-47776
CVE-2025-67288
CVE-2025-66625
CVE-2012-10054
CVE-2025-54425
CVE-2025-49147
CVE-2025-48953
CVE-2025-47280
CVE-2025-46736
CVE-2025-32017
CVE-2025-27602
CVE-2025-27601
CVE-2024-55488
CVE-2025-24012
CVE-2025-24011
CVE-2025-23041
CVE-2024-10761
CVE-2024-48929
CVE-2024-48927
CVE-2024-48926
CVE-2024-48925
CVE-2024-47819
CVE-2024-43377
CVE-2024-43376
CVE-2024-35239
CVE-2024-35218
CVE-2024-34071
CVE-2024-29035
CVE-2024-28868
CVE-2023-49279
CVE-2023-49278
CVE-2023-49274
CVE-2023-49273
CVE-2023-49089
CVE-2023-48313
CVE-2023-48227
CVE-2023-38694
CVE-2023-37267
CVE-2023-32312
CVE-2019-25137
CVE-2021-33224
CVE-2022-22691
CVE-2022-22690
CVE-2021-37334
CVE-2021-34254
CVE-2020-5811
CVE-2020-5810
CVE-2020-5809
CVE-2020-29454
CVE-2020-7685
CVE-2020-9472
CVE-2020-9471
CVE-2020-7210
CVE-2019-13957
CVE-2018-17256
CVE-2014-10074
CVE-2017-15280
CVE-2017-15279
CVE-2012-1301
CVE-2015-8815
CVE-2015-8814
CVE-2015-8813
CVE-2013-4793
>= 15.3.1 and < 16.5.1
Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Um
>= 16.2.0 and < 16.5.1
Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can i
>= 14.0.0 and < 16.5.1
Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a
>= 16.0.0 and < 16.4.1
Umbraco Forms is a form builder that integrates with the Umbraco content management system. It's possible for an authenticated bac
<= 8.13.16
In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply a malicious WSDL (aka Webservice) URL as a data sour
all versions
Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in
all versions
An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PD
>= 10.0.0 and < 13.12.1
Umbraco is an ASP.NET CMS. Due to unsafe handling and deletion of temporary files in versions 10.0.0 through 13.12.0, during the d
< 4.7.1
Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx SOAP endpo
>= 13.0.0 and < 13.9.3
Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content deliver
>= 10.0.0 and < 10.8.11
Umbraco, a free and open source .NET content management system, has a vulnerability in versions 10.0.0 through 10.8.10 and 13.0.0
>= 14.0.0 and < 15.4.2
Umbraco is an ASP.NET content management system (CMS). Starting in version 14.0.0 and prior to versions 15.4.2 and 16.0.0, it's po
>= 7.0.0 and < 13.4.2
Umbraco Forms is a form builder that integrates with the Umbraco content management system. Starting in the 7.x branch and prior t
< 10.8.10
Umbraco is a free and open source .NET content management system. Prior to versions 10.8.10 and 13.8.1, based on an analysis of th
>= 14.0.0 and < 14.3.4
Umbraco is a free and open source .NET content management system. Authenticated users to the Umbraco backoffice are able to craft
< 10.8.9
Umbraco is a free and open source .NET content management system. In versions of Umbraco's web backoffice program prior to version
< 14.3.3
Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco
all versions
A stored cross-site scripting (XSS) vulnerability in Umbraco CMS v14.3.1 allows attackers to execute arbitrary web scripts or HTML
>= 14.0.0 and < 14.3.2
Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1
>= 14.0.0 and < 14.3.2
Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1
< 8.13.15
Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long a
all versions
A vulnerability was found in Umbraco CMS up to 10.7.7/12.3.6/13.5.2/14.3.1/15.1.1. It has been classified as problematic. Affected
>= 10.0 and < 10.8.7
Umbraco is a free and open source .NET content management system. In versions on the 13.x branch prior to 13.5.2 and versions on t
>= 8.0 and < 8.18.15
Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch p
>= 8.0 and < 8.18.15
Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13
>= 14.0.0 and < 14.3.0
Umbraco, a free and open source .NET content management system, has an improper access control issue starting in version 14.0.0 an
>= 14.0.0 and < 14.3.1
Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.
>= 14.0.0 and < 14.1.2
Umbraco CMS is an ASP.NET CMS. An authenticated user can access a few unintended endpoints. This issue is fixed in 14.1.2.
>= 14.0.0 and < 14.1.2
Umbraco is an ASP.NET CMS. Some endpoints in the Management API can return stack trace information, even when Umbraco is not in de
< 8.13.13
Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit F
>= 8.0.0 and < 8.18.13
Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stored Cross-site scripting (XSS) enable attackers that have acc
>= 8.18.5 and < 8.18.14
Umbraco is an ASP.NET CMS used by more than 730.000 websites. Umbraco has an endpoint that is vulnerable to open redirects. The en
>= 13.0.0 and < 13.1.1
Umbraco is an ASP.NET CMS. Failing webhooks logs are available when solution is not in debug mode. Those logs can contain informat
>= 10.0.0 and < 10.8.5
Umbraco is an ASP.NET content management system. Umbraco 10 prior to 10.8.4 with access to the native login screen is vulnerable t
>= 7.0.0 and < 7.15.11
Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11
>= 8.0.0 and < 8.18.10
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4
>= 8.0.0 and < 8.18.10
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4
>= 8.0.0 and < 8.18.10
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4
>= 8.0.0 and < 8.18.10
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0
>= 10.0.0 and < 10.8.1
Umbraco is an ASP.NET content management system (CMS). Starting in 10.0.0 and prior to versions 10.8.1 and 12.3.4, Umbraco contai
>= 8.0.0 and < 8.18.10
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0
>= 8.0.0 and < 8.18.10
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0
>= 10.0.0 and < 10.6.1
Umbraco is a ASP.NET CMS. Under rare conditions a restart of Umbraco can allow unauthorized users access to admin-level permission
<= 2.0.0
UmbracoIdentityExtensions is an Umbraco add-on package that enables easy extensibility points for ASP.Net Identity integration. In
>= 4.11.8 and <= 7.15.10
Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in a
all versions
File upload vulnerability in Umbraco Forms v.8.7.0 allows unauthenticated attackers to execute arbitrary code via a crafted web.co
< 9.2.0
The password reset component deployed within Umbraco uses the hostname supplied within the request host header when building a pas
< 9.2.0
Within the Umbraco CMS, a configuration element named "UmbracoApplicationUrl" (or just "ApplicationUrl") is used whenever applicat
>= 4.0.0 and < 4.4.9
Umbraco Forms version 4.0.0 up to and including 8.7.5 and below are vulnerable to a security flaw that could lead to a remote code
< 7.15.7
Umbraco CMS before 7.15.7 is vulnerable to Open Redirection due to insufficient url sanitization on booting.aspx.
<= 8.9.1
An authenticated path traversal vulnerability exists during package installation in Umbraco CMS <= 8.9.1 or current, which could r
<= 8.9.1
A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user authorized to upload media can upload
<= 8.9.1
A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user can inject arbitrary JavaScript code i
>= 8.0.0 and <= 8.9.1
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications
all versions
This affects all versions of package UmbracoForms. When using the default configuration for upload forms, it is possible to upload
all versions
Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package functionali
all versions
Umbraco Cloud 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Packages function
all versions
Umbraco CMS 8.2.2 allows CSRF to enable/disable or delete user accounts.
all versions
In Umbraco 7.3.8, there is SQL Injection in the backoffice/PageWApprove/PageWApproveApi/GetInpectSearch method via the nodeName pa
all versions
Persistent cross-site scripting (XSS) vulnerability in Umbraco CMS 7.12.3 allows authenticated users to inject arbitrary web scrip
< 7.2.0
Umbraco before 7.2.0 has a remote PHP code execution vulnerability because Umbraco.Web.UI/config/umbracoSettings.Release.config do
<= 7.7.2
XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading fi
<= 7.7.2
Cross-site scripting (XSS) vulnerability in Umbraco CMS before 7.7.3 allows remote attackers to inject arbitrary web script or HTM
all versions
The FeedProxy.aspx script in Umbraco 4.7.0 allows remote attackers to proxy requests on their behalf via the "url" parameter.
<= 7.3.8
Multiple cross-site scripting (XSS) vulnerabilities in Umbraco before 7.4.0 allow remote attackers to inject arbitrary web script
all versions
Umbraco before 7.4.0 allows remote attackers to bypass anti-forgery security measures and conduct cross-site request forgery (CSRF
<= 7.3.8
The Page_Load function in Umbraco.Web/umbraco.presentation/umbraco/dashboard/FeedProxy.aspx.cs in Umbraco before 7.4.0 allows remo
<= 6.0.3
The update function in umbraco.webservices/templates/templateService.cs in the TemplateService component in Umbraco CMS before 6.0