CVE-2025-67288
CRITICAL10.0EPSS 0.06%Umbraco CMS has an arbitrary file upload vulnerability
Published: 12/22/2025Modified: 2/3/2026
Description
An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file. While Umbraco provides [hooks to perform file validation](https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation), it does not do implement filtering by default. Users are expected to implement their own validation. Note: This vulnerability is [disputed by Ubraco](https://github.com/github/advisory-database/pull/6633).
Affected packages (1)
- NuGet/Umbraco.Cmsfrom 0, <= 16.3.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P |
| osv | CVSS 3.1 | CRITICAL10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-67288
- PATCHhttps://github.com/umbraco/Umbraco-CMS
- WEBhttps://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation
- WEBhttps://github.com/github/advisory-database/pull/6633
- WEBhttps://github.com/vuquyen03/CVE/tree/main/CVE-2025-67288
- WEBhttp://umbraco.com