Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Primary rating from Vendor (https://github.com/umbraco/Umbraco-CMS) · only source for this CVE.
CVSS VectorVendor: https://github.com/umbraco/Umbraco-CMS
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Impact
Authenticated users are able to inject HTML vulnerability into an input field, which is rendered in the confirmation dialog without proper output encoding.
Patches
This issue has been patched in 17.4.0
AnalysisAI
HTML injection (stored XSS) in the Umbraco CMS Backoffice confirmation dialog allows authenticated low-privilege users to inject arbitrary HTML into an input field that is subsequently rendered without output encoding when a confirmation dialog is triggered. Affected versions span nuget/Umbraco.Cms 14.0.0 through 17.3.5. The CVSS score of 4.6 reflects the constrained attack surface: exploitation requires an authenticated Backoffice session and a second victim user to interact with the dialog, limiting blast radius to the admin panel rather than public-facing surfaces. No public exploit identified at time of analysis and this CVE does not appear in the CISA KEV catalog.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause: user-controlled data is interpolated into a confirmation dialog's DOM without HTML-encoding, allowing tag injection. The affected component is the Umbraco Backoffice - the .NET-based administrative interface distributed as the nuget/Umbraco.Cms package. The CVSS vector AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N indicates the exploit path is network-accessible, requires low privilege (an authenticated Backoffice account), and depends on a second user interacting with the rendered dialog. The unchanged scope (S:U) confirms the vulnerability is confined to the Backoffice browser session and does not cross trust boundaries to the underlying server.
RemediationAI
The primary fix is to upgrade nuget/Umbraco.Cms to version 17.4.0 or later, which resolves the missing output encoding in the confirmation dialog. The vendor-confirmed patch is documented at https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-vr9v-27gg-qgx4. If an immediate upgrade to 17.4.0 is not feasible, a compensating control is to restrict Backoffice access to trusted, authenticated internal users only - blocking external or anonymous network access to the /umbraco path via WAF or reverse proxy rules reduces the exploitable surface. Note that this workaround does not eliminate the vulnerability for internal users who retain Backoffice access. No additional workarounds specific to disabling the confirmation dialog feature were identified in available data.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36070
GHSA-vr9v-27gg-qgx4