CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-49147 – Umbraco.Cms Vulnerable to Disclosure of Configured Password Requirements
https://notcve.org/view.php?id=CVE-2025-49147
24 Jun 2025 — Umbraco, a free and open source .NET content management system, has a vulnerability in versions 10.0.0 through 10.8.10 and 13.0.0 through 13.9.1. Via a request to an anonymously authenticated endpoint it's possible to retrieve information about the configured password requirements. The information available is limited but would perhaps give some additional detail useful for someone attempting to brute force derive a user's password. This information was not exposed in Umbraco 7 or 8, nor in 14 or higher ver... • https://github.com/umbraco/Umbraco-CMS/commit/b4144564c836ec6929111ce2a12eb1f67b42d61e • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48953 – Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads
https://notcve.org/view.php?id=CVE-2025-48953
03 Jun 2025 — Umbraco is an ASP.NET content management system (CMS). Starting in version 14.0.0 and prior to versions 15.4.2 and 16.0.0, it's possible to upload a file that doesn't adhere with the configured allowable file extensions via a manipulated API request. The issue is patched in versions 15.4.2 and 16.0.0. No known workarounds are available. • https://github.com/umbraco/Umbraco-CMS/commit/d920e93d1ee29dc3301697e444f53e8cd5db3cf9 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2025-47280 – Umbraco.Forms has HTML injection vulnerability in 'Send email' workflow
https://notcve.org/view.php?id=CVE-2025-47280
13 May 2025 — Umbraco Forms is a form builder that integrates with the Umbraco content management system. Starting in the 7.x branch and prior to versions 13.4.2 and 15.1.2, the 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address, potentially bypassing spam and email client security systems. This issue affects all (supported) versions Umbraco Forms a... • https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-2qrj-g9hq-chph • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-46736 – Umbraco Makes User Enumeration Feasible Based on Timing of Login Response
https://notcve.org/view.php?id=CVE-2025-46736
06 May 2025 — Umbraco is a free and open source .NET content management system. Prior to versions 10.8.10 and 13.8.1, based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists. The issue is patched in versions 10.8.10 and 13.8.1. No known workarounds are available. • https://github.com/umbraco/Umbraco-CMS/commit/14fbd20665b453cbf094ccf4575b79a9fba07e03 • CWE-204: Observable Response Discrepancy •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2025-32017 – Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users
https://notcve.org/view.php?id=CVE-2025-32017
08 Apr 2025 — Umbraco is a free and open source .NET content management system. Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location. The issue affects Umbraco 14+ and is patched in 14.3.4 and 15.3.1. • https://github.com/umbraco/Umbraco-CMS/commit/06a2a500b358ce15b1e228391eb60bd517c6e833 • CWE-23: Relative Path Traversal •
CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27602 – Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content
https://notcve.org/view.php?id=CVE-2025-27602
11 Mar 2025 — Umbraco is a free and open source .NET content management system. In versions of Umbraco's web backoffice program prior to versions 10.8.9 and 13.7.1, via manipulation of backoffice API URLs, it's possible for authenticated backoffice users to retrieve or delete content or media held within folders the editor does not have access to. The issue is patched in versions 10.8.9 and 13.7.1. No known workarounds are available. • https://github.com/umbraco/Umbraco-CMS/commit/5b54bed406682ceff57903bf7d3c57814eef31a7 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27601 – Umbraco Allows Improper API Access Control to Low-Privilege Users to Data Type Functionality
https://notcve.org/view.php?id=CVE-2025-27601
11 Mar 2025 — Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco's API management package prior to versions 15.2.3 and 14.3.3, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section. The issue is patched in versions 15.2.3 and 14.3.3. No known workarounds are available. • https://github.com/umbraco/Umbraco-CMS/commit/d9fb6df16e9adf8656181cac8497fc5ba23321cd • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-24012 – Umbraco Backoffice Components Have XSS/HTML Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-24012
21 Jan 2025 — Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, authenticated users are able to exploit a cross-site scripting vulnerability when viewing certain localized backoffice components. Versions 14.3.2 and 15.1.2 contain a patch. • https://github.com/umbraco/Umbraco-CMS/commit/d4f8754f933895b3a329296e25ddea6f84a0aea2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 12%CPEs: 2EXPL: 1CVE-2025-24011 – Umbraco CMS Vulnerable to User Enumeration Feasible Based On Management API Timing and Response Codes
https://notcve.org/view.php?id=CVE-2025-24011
21 Jan 2025 — Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and 15.1.2 contain a patch. No known workarounds are available. • https://github.com/Puben/CVE-2025-24011-PoC • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-23041 – Short and Long Answer Fields Are Not Validated Server-Side For Maximum Length in Umbraco.Forms
https://notcve.org/view.php?id=CVE-2025-23041
14 Jan 2025 — Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-9v8m-qv22-f268 • CWE-20: Improper Input Validation •