What is the CVSS score of CVE-2025-48953?

CVE-2025-48953 has a CVSS 3.1 base score of 5.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L. EPSS exploitation probability: 0.1%.

Which versions of Umbraco Cms are affected by CVE-2025-48953?

Organizations using version 14.0.0 and should be aware of moderate risk from CVE-2025-48953, a unrestricted file upload vulnerability rated CVSS 5.5. This could allow unauthorized file access.. A patch is available.

How to fix or mitigate CVE-2025-48953?

Within 30 days: Identify affected systems running version 14.0.0 and and apply vendor patches as part of regular patch cycle. Review file handling controls.

Umbraco Cms CVE-2025-48953

EUVD-2025-16778 MEDIUM

Unrestricted Upload of File with Dangerous Type (CWE-434)

2025-06-03 security-advisories@github.com

GHSA-fr6r-p8hv-x3c4

File Upload Umbraco Cms

5.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.5 MEDIUM

AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 17:04 euvd

EUVD-2025-16778

Analysis Generated

Mar 14, 2026 - 17:04 vuln.today

Patch released

Mar 14, 2026 - 17:04 nvd

Patch available

CVE Published

Jun 03, 2025 - 19:15 nvd

MEDIUM 5.5

DescriptionGitHub Advisory

Umbraco is an ASP.NET content management system (CMS). Starting in version 14.0.0 and prior to versions 15.4.2 and 16.0.0, it's possible to upload a file that doesn't adhere with the configured allowable file extensions via a manipulated API request. The issue is patched in versions 15.4.2 and 16.0.0. No known workarounds are available.

Analysis

Technical ContextAI

Unrestricted file upload allows attackers to upload malicious files (web shells, executables) that can then be executed on the server. This vulnerability is classified as Unrestricted Upload of File with Dangerous Type (CWE-434).

RemediationAI

A vendor patch is available — apply it immediately. Validate file types by content (magic bytes), not just extension. Store uploads outside the web root. Use random filenames. Scan uploads for malware.

CVE-2025-48953 vulnerability details – vuln.today

Back