CVE-2026-46609

MEDIUM4.6

Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog

Published: 5/21/2026Modified: 5/21/2026

Description

### Impact Authenticated users are able to inject HTML vulnerability into an input field, which is rendered in the confirmation dialog without proper output encoding. ### Patches This issue has been patched in 17.4.0

Affected packages (1)

NuGet/Umbraco.Cms>= 14.0.0, < 17.4.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

References (2)

PATCHhttps://github.com/umbraco/Umbraco-CMS
WEBhttps://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-vr9v-27gg-qgx4