Skip to main content

Umbraco CMS EUVDEUVD-2026-36070

| CVE-2026-46609 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-21 https://github.com/umbraco/Umbraco-CMS GHSA-vr9v-27gg-qgx4
4.6
CVSS 3.1 · Vendor: https://github.com/umbraco/Umbraco-CMS
Share

Severity by source

Vendor (https://github.com/umbraco/Umbraco-CMS) PRIMARY
4.6 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Primary rating from Vendor (https://github.com/umbraco/Umbraco-CMS) · only source for this CVE.

CVSS VectorVendor: https://github.com/umbraco/Umbraco-CMS

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 21, 2026 - 21:36 vuln.today
Analysis Generated
May 21, 2026 - 21:36 vuln.today

DescriptionCVE.org

Impact

Authenticated users are able to inject HTML vulnerability into an input field, which is rendered in the confirmation dialog without proper output encoding.

Patches

This issue has been patched in 17.4.0

AnalysisAI

HTML injection (stored XSS) in the Umbraco CMS Backoffice confirmation dialog allows authenticated low-privilege users to inject arbitrary HTML into an input field that is subsequently rendered without output encoding when a confirmation dialog is triggered. Affected versions span nuget/Umbraco.Cms 14.0.0 through 17.3.5. The CVSS score of 4.6 reflects the constrained attack surface: exploitation requires an authenticated Backoffice session and a second victim user to interact with the dialog, limiting blast radius to the admin panel rather than public-facing surfaces. No public exploit identified at time of analysis and this CVE does not appear in the CISA KEV catalog.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause: user-controlled data is interpolated into a confirmation dialog's DOM without HTML-encoding, allowing tag injection. The affected component is the Umbraco Backoffice - the .NET-based administrative interface distributed as the nuget/Umbraco.Cms package. The CVSS vector AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N indicates the exploit path is network-accessible, requires low privilege (an authenticated Backoffice account), and depends on a second user interacting with the rendered dialog. The unchanged scope (S:U) confirms the vulnerability is confined to the Backoffice browser session and does not cross trust boundaries to the underlying server.

RemediationAI

The primary fix is to upgrade nuget/Umbraco.Cms to version 17.4.0 or later, which resolves the missing output encoding in the confirmation dialog. The vendor-confirmed patch is documented at https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-vr9v-27gg-qgx4. If an immediate upgrade to 17.4.0 is not feasible, a compensating control is to restrict Backoffice access to trusted, authenticated internal users only - blocking external or anonymous network access to the /umbraco path via WAF or reverse proxy rules reduces the exploitable surface. Note that this workaround does not eliminate the vulnerability for internal users who retain Backoffice access. No additional workarounds specific to disabling the confirmation dialog feature were identified in available data.

Share

EUVD-2026-36070 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy