What is the CVSS score of CVE-2025-49147?

CVE-2025-49147 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Umbraco Cms are affected by CVE-2025-49147?

Organizations using versions 10.0.0 should be aware of moderate risk from CVE-2025-49147 rated CVSS 5.3. Exploitation could compromise the security of affected deployments.. A patch is available.

How to fix or mitigate CVE-2025-49147?

Within 30 days: Identify affected systems running versions 10.0.0 and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Umbraco Cms CVE-2025-49147

EUVD-2025-19053 MEDIUM

Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)

2025-06-24 security-advisories@github.com

GHSA-pgvc-6h2p-q4f6

Information Disclosure Umbraco Cms

5.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.3 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 22:36 euvd

EUVD-2025-19053

Analysis Generated

Mar 15, 2026 - 22:36 vuln.today

Patch released

Mar 15, 2026 - 22:36 nvd

Patch available

CVE Published

Jun 24, 2025 - 18:15 nvd

MEDIUM 5.3

DescriptionGitHub Advisory

Umbraco, a free and open source .NET content management system, has a vulnerability in versions 10.0.0 through 10.8.10 and 13.0.0 through 13.9.1. Via a request to an anonymously authenticated endpoint it's possible to retrieve information about the configured password requirements. The information available is limited but would perhaps give some additional detail useful for someone attempting to brute force derive a user's password. This information was not exposed in Umbraco 7 or 8, nor in 14 or higher versions. The vulnerability is patched in versions 10.8.11 and 13.9.2.

AnalysisAI

A remote code execution vulnerability in versions 10.0.0 (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Technical ContextAI

Vulnerability type: remote code execution. Affects versions 10.0.0.

RemediationAI

Apply the vendor-supplied patch immediately.

CVE-2025-49147 vulnerability details – vuln.today

Back

Umbraco Cms CVE-2025-49147

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code