CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27602 – Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content
https://notcve.org/view.php?id=CVE-2025-27602
11 Mar 2025 — Umbraco is a free and open source .NET content management system. In versions of Umbraco's web backoffice program prior to versions 10.8.9 and 13.7.1, via manipulation of backoffice API URLs, it's possible for authenticated backoffice users to retrieve or delete content or media held within folders the editor does not have access to. The issue is patched in versions 10.8.9 and 13.7.1. No known workarounds are available. • https://github.com/umbraco/Umbraco-CMS/commit/5b54bed406682ceff57903bf7d3c57814eef31a7 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27601 – Umbraco Allows Improper API Access Control to Low-Privilege Users to Data Type Functionality
https://notcve.org/view.php?id=CVE-2025-27601
11 Mar 2025 — Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco's API management package prior to versions 15.2.3 and 14.3.3, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section. The issue is patched in versions 15.2.3 and 14.3.3. No known workarounds are available. • https://github.com/umbraco/Umbraco-CMS/commit/d9fb6df16e9adf8656181cac8497fc5ba23321cd • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-24012 – Umbraco Backoffice Components Have XSS/HTML Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-24012
21 Jan 2025 — Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, authenticated users are able to exploit a cross-site scripting vulnerability when viewing certain localized backoffice components. Versions 14.3.2 and 15.1.2 contain a patch. • https://github.com/umbraco/Umbraco-CMS/commit/d4f8754f933895b3a329296e25ddea6f84a0aea2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 15%CPEs: 2EXPL: 1CVE-2025-24011 – Umbraco CMS Vulnerable to User Enumeration Feasible Based On Management API Timing and Response Codes
https://notcve.org/view.php?id=CVE-2025-24011
21 Jan 2025 — Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and 15.1.2 contain a patch. No known workarounds are available. • https://github.com/Puben/CVE-2025-24011-PoC • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.9EPSS: 0%CPEs: 22EXPL: 1CVE-2024-10761 – Umbraco CMS Dashboard frame cross site scripting
https://notcve.org/view.php?id=CVE-2024-10761
04 Nov 2024 — A vulnerability was found in Umbraco CMS 12.3.6. It has been classified as problematic. Affected is an unknown function of the file /Umbraco/preview/frame?id{} of the component Dashboard. The manipulation of the argument culture leads to cross site scripting. • https://vuldb.com/?ctiid.282930 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-707: Improper Neutralization •
CVSS: 4.2EPSS: 0%CPEs: 2EXPL: 0CVE-2024-48929 – Umbraco CMS Has Incomplete Server Termination During Explicit Sign-Out
https://notcve.org/view.php?id=CVE-2024-48929
22 Oct 2024 — Umbraco is a free and open source .NET content management system. In versions on the 13.x branch prior to 13.5.2 and versions on the 10.x branch prior to 10.8.7, during an explicit sign-out, the server session is not fully terminated. Versions 13.5.2 and 10.8.7 contain a patch for the issue. • https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-wxw9-6pv9-c3xc • CWE-384: Session Fixation •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-48927 – Potential Code Execution Risk When Viewing SVG Files in Full Screen in Backoffice
https://notcve.org/view.php?id=CVE-2024-48927
22 Oct 2024 — Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. There is a potential risk of code execution for Backoffice users when they “preview” SVG files in full screen mode. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue. As a workaround, derver-side file validation is available to strip script tags from file's content during the file upload process. • https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-5955-cwv4-h7qh • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 4.2EPSS: 0%CPEs: 3EXPL: 0CVE-2024-48926 – Umbraco CMS logout page displayed before session expiration
https://notcve.org/view.php?id=CVE-2024-48926
22 Oct 2024 — Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The Backoffice displays the logout page with a session timeout message before the server session has fully expired, causing users to believe they have been logged out approximately 30 seconds before they actually are. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue. • https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-fp6q-gccw-7qqm • CWE-613: Insufficient Session Expiration •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48925 – Umbraco CMS Improper Access Control Vulnerability Allows Low-Privilege Users to Access Webhook API
https://notcve.org/view.php?id=CVE-2024-48925
22 Oct 2024 — Umbraco, a free and open source .NET content management system, has an improper access control issue starting in version 14.0.0 and prior to version 14.3.0. The issue allows low-privilege users to access the webhook API and retrieve information that should be restricted to users with access to the settings section. Version 14.3.0 contains a patch. • https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-4gp9-ff99-j6vj • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47819 – Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
https://notcve.org/view.php?id=CVE-2024-47819
22 Oct 2024 — Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content. Versions 14.3.1 and 15.0.0 contain a patch. As a workaround, ensure that access to the Dictionary section is o... • https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-c5g6-6xf7-qxp3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •