pkg:NuGet/Umbraco.Cms

All known vulnerabilities

• CRITICAL10.0CVE-2025-67288Umbraco CMS has an arbitrary file upload vulnerability
  from 0, <= 16.3.3
• HIGH8.8CVE-2025-32017Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users
  >= 14.0.0--preview004, < 14.3.4
• HIGH7.2CVE-2026-31834Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks
  >= 15.3.1, < 16.5.1
• MEDIUM6.7CVE-2026-31833Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering
  >= 16.2.0, < 16.5.1
• MEDIUM5.5CVE-2025-48953Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads
  >= 14.0.0, < 15.4.2
• MEDIUM5.4CVE-2026-46616Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers
  from 0, < 13.14.0
• MEDIUM5.4CVE-2026-31832Umbraco Backoffice API Allows Unauthorized Modification of Domain Data
  >= 14.0.0, < 16.5.1
• MEDIUM5.4CVE-2024-43377Umbraco CMS Improper Access Control vulnerability
  >= 14.0.0, < 14.1.2
• MEDIUM5.3CVE-2025-49147Umbraco CMS disclosure of configured password requirements
  >= 10.0.0, < 10.8.11
• MEDIUM5.3CVE-2025-46736Umbraco Makes User Enumeration Feasible Based on Timing of Login Response
  >= 11.0.0-rc1, < 13.8.1
• MEDIUM5.3CVE-2025-24011Umbraco Allows User Enumeration Feasible Based On Management API Timing and Response Codes
  >= 14.0.0, < 14.3.2
• MEDIUM4.9CVE-2025-66625Umbraco Vulnerable to Improper File Access and Credential Exposure in Dictionary Import Functionality
  >= 10.0.0, < 13.12.1
• MEDIUM4.6CVE-2026-46609Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog
  >= 14.0.0, < 17.4.0
• MEDIUM4.6CVE-2024-48927Umbraco has a Potential Code Execution Risk When Viewing SVG Files in Full Screen in Backoffice
  >= 10.0.0, < 10.8.7
• MEDIUM4.3CVE-2024-10761XSS/HTML Injection Vulnerability in Umbraco Preview Badge
  >= 11.0.0, < 13.5.3