Skip to main content

Umbraco CMS CVE-2025-67288

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2025-12-22 cve@mitre.org
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Upload normally requires an authenticated backoffice user (PR:L) and a non-default insecure config to reach execution (AC:H); successful RCE yields full C/I/A on the host (S:U).

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 14:32 vuln.today

DescriptionNVD

An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system administrator who is implementing Umbraco CMS in their environment, not to Umbraco CMS itself, a related issue to CVE-2023-49279.

AnalysisAI

Arbitrary code execution in Umbraco CMS 16.3.3 is claimed via upload of a crafted PDF file that abuses insufficient file-type validation (CWE-434), potentially leading to server-side code execution. The finding is explicitly DISPUTED by Umbraco, which states that enforcing upload validation is the deploying administrator's responsibility per documentation, mirroring the earlier CVE-2023-49279. No public exploit is confirmed and EPSS is low (0.50%, 39th percentile), so despite the nominal CVSS 10.0 this reflects a contested, configuration-dependent condition rather than a proven turnkey RCE.

Technical ContextAI

Umbraco CMS is a widely used open-source ASP.NET (.NET) content management system whose backoffice media/upload handlers accept files that are later served or processed by the application. The CWE-434 (Unrestricted Upload of File with Dangerous Type) root cause here is that Umbraco, by design, delegates allow-list/deny-list enforcement of uploadable extensions and content validation to the administrator's configuration (e.g., the disallowed file-upload settings) rather than hard-blocking dangerous types itself. The single CPE identified is cpe:2.3:a:umbraco:umbraco_cms:16.3.3, and the reported vector (a 'crafted PDF') implies content that is either mis-typed or processed in a way that yields code execution only when the surrounding environment/config permits it - the same class of dispute raised in the related CVE-2023-49279.

RemediationAI

No vendor-released patch is identified at time of analysis, and Umbraco disputes that a code fix is warranted, framing this as a configuration responsibility. The actionable primary control is to harden Umbraco's upload settings: restrict allowed upload extensions via Umbraco's disallowed/allowed file-type configuration (block executable and script-capable types), ensure the media/upload directory is served with static-only handling so uploaded files cannot be executed by the web server, and confine backoffice upload permissions to trusted users only - trade-off: overly strict allow-lists may block legitimate editor workflows and require content-team coordination. As additional compensating controls, place uploaded content on a separate non-executable path or storage, add a WAF/upload-inspection rule for polyglot/PDF-mismatch content, and monitor the media directory for unexpected file types - noting these add operational overhead and can produce false positives. Track the vendor's guidance and the related CVE-2023-49279 documentation; consult https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67288 for the reported technique, and upgrade if Umbraco later publishes a patched release.

CVE-2012-10054 CRITICAL POC
9.3 Aug 13

Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx

CVE-2020-9471 HIGH POC
8.8 Mar 16

Umbraco Cloud 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package

CVE-2024-10761 MEDIUM POC
6.9 Nov 04

A vulnerability was found in Umbraco CMS up to 10.7.7/12.3.6/13.5.2/14.3.1/15.1.1. Rated medium severity (CVSS 6.9), thi

CVE-2024-55488 MEDIUM POC
6.5 Jan 22

A stored cross-site scripting (XSS) vulnerability in Umbraco CMS v14.3.1 allows attackers to execute arbitrary web scrip

CVE-2020-5811 MEDIUM POC
6.5 Dec 30

An authenticated path traversal vulnerability exists during package installation in Umbraco CMS <= 8.9.1 or current, whi

CVE-2020-9472 MEDIUM POC
6.5 Mar 16

Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package f

CVE-2012-1301 CRITICAL
9.8 Apr 13

The FeedProxy.aspx script in Umbraco 4.7.0 allows remote attackers to proxy requests on their behalf via the "url" param

CVE-2023-37267 CRITICAL
9.8 Jul 13

Umbraco is a ASP.NET CMS. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authenticat

CVE-2020-5810 MEDIUM POC
5.4 Dec 30

A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. Rated medium severity (CVSS 5.4), this vulnerabili

CVE-2020-5809 MEDIUM POC
5.4 Dec 30

A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. Rated medium severity (CVSS 5.4), this vulnerabili

CVE-2021-47776 MEDIUM POC
5.3 Jan 15

Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl par

CVE-2025-32017 HIGH
8.8 Apr 08

Umbraco is a free and open source .NET content management system. Rated high severity (CVSS 8.8), this vulnerability is

Share

CVE-2025-67288 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy