CVE-2025-27601

MEDIUM
2025-03-11 [email protected] GHSA-6ffg-mjg7-585x
RCE
4.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 19:52 vuln.today
Patch Released
Sep 22, 2025 - 13:58 nvd
Patch available
CVE Published
Mar 11, 2025 - 16:15 nvd
MEDIUM 4.3

DescriptionNVD

Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco's API management package prior to versions 15.2.3 and 14.3.3, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section. The issue is patched in versions 15.2.3 and 14.3.3. No known workarounds are available.

AnalysisAI

Umbraco is a free and open source .NET content management system. [CVSS 4.3 MEDIUM]

Technical ContextAI

Classified as CWE-285 (Improper Authorization). Affects s API management package. Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco's API management package prior to versions 15.2.3 and 14.3.3, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section. The issue is patched in versions 15.2.3 and 14.3.3. No known workarounds are available.

Affected ProductsAI

Product: s API management package. Versions: up to 15.2.3.

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

Share

CVE-2025-27601 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy