Every CVE whose affected-product data names Umbraco Umbraco Cms, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (57)
CVE-2025-67288 — CVSS 10.0 (critical): An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file…
CVE-2012-10054 — CVSS 9.8 (critical): Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx SOAP endpoint…
CVE-2012-1301 — CVSS 9.8 (critical): The FeedProxy.aspx script in Umbraco 4.7.0 allows remote attackers to proxy requests on their behalf via the "url" parameter.
CVE-2014-10074 — CVSS 9.8 (critical): Umbraco before 7.2.0 has a remote PHP code execution vulnerability because Umbraco.Web.UI/config/umbracoSettings.Release.config does not…
CVE-2025-32017 — CVSS 8.8 (high): Umbraco is a free and open source .NET content management system. Authenticated users to the Umbraco backoffice are able to craft…
CVE-2020-9471 — CVSS 8.8 (high): Umbraco Cloud 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Packages functionality.
CVE-2022-22690 — CVSS 8.6 (high): Within the Umbraco CMS, a configuration element named "UmbracoApplicationUrl" (or just "ApplicationUrl") is used whenever application code…
CVE-2023-49089 — CVSS 7.7 (high): Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0…
CVE-2013-4793 — CVSS 7.5 (high): The update function in umbraco.webservices/templates/templateService.cs in the TemplateService component in Umbraco CMS before 6.0.4 does…
CVE-2023-37267 — CVSS 7.5 (high): Umbraco is a ASP.NET CMS. Under rare conditions a restart of Umbraco can allow unauthorized users access to admin-level permissions. This…
CVE-2026-31834 — CVSS 7.2 (high): Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco…
CVE-2019-25137 — CVSS 7.2 (high): Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an…
CVE-2022-22691 — CVSS 6.8 (medium): The password reset component deployed within Umbraco uses the hostname supplied within the request host header when building a password…
CVE-2026-31833 — CVSS 6.7 (medium): Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject…
CVE-2020-9472 — CVSS 6.5 (medium): Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package functionality.
CVE-2020-5811 — CVSS 6.5 (medium): An authenticated path traversal vulnerability exists during package installation in Umbraco CMS <= 8.9.1 or current, which could result in…
CVE-2024-55488 — CVSS 6.5 (medium): A stored cross-site scripting (XSS) vulnerability in Umbraco CMS v14.3.1 allows attackers to execute arbitrary web scripts or HTML via a…
CVE-2021-34254 — CVSS 6.1 (medium): Umbraco CMS before 7.15.7 is vulnerable to Open Redirection due to insufficient url sanitization on booting.aspx.
CVE-2024-34071 — CVSS 6.1 (medium): Umbraco is an ASP.NET CMS used by more than 730.000 websites. Umbraco has an endpoint that is vulnerable to open redirects. The endpoint is…
CVE-2017-15280 — CVSS 5.5 (medium): XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on…
CVE-2025-48953 — CVSS 5.5 (medium): Umbraco is an ASP.NET content management system (CMS). Starting in version 14.0.0 and prior to versions 15.4.2 and 16.0.0, it's possible to…
CVE-2026-46616 — CVSS 5.4 (medium): Umbraco is an ASP.NET CMS. Prior to versions 13.14.0 and 17.4.0, some of the Surface Controllers in the CMS provide to support member…
CVE-2020-5809 — CVSS 5.4 (medium): A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user can inject arbitrary JavaScript code into…
CVE-2017-15279 — CVSS 5.4 (medium): Cross-site scripting (XSS) vulnerability in Umbraco CMS before 7.7.3 allows remote attackers to inject arbitrary web script or HTML via the…
CVE-2023-49273 — CVSS 5.4 (medium): Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users…
CVE-2024-43377 — CVSS 5.4 (medium): Umbraco CMS is an ASP.NET CMS. An authenticated user can access a few unintended endpoints. This issue is fixed in 14.1.2.
CVE-2020-5810 — CVSS 5.4 (medium): A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user authorized to upload media can upload a…
CVE-2026-31832 — CVSS 5.4 (medium): Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a…
CVE-2025-54425 — CVSS 5.3 (medium): Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can…
CVE-2021-47776 — CVSS 5.3 (medium): Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple…
CVE-2023-49278 — CVSS 5.3 (medium): Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a brute…
CVE-2025-24011 — CVSS 5.3 (medium): Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's…
CVE-2025-46736 — CVSS 5.3 (medium): Umbraco is a free and open source .NET content management system. Prior to versions 10.8.10 and 13.8.1, based on an analysis of the timing…
CVE-2025-49147 — CVSS 5.3 (medium): Umbraco, a free and open source .NET content management system, has a vulnerability in versions 10.0.0 through 10.8.10 and 13.0.0 through…
CVE-2025-66625 — CVSS 4.9 (medium): Umbraco is an ASP.NET CMS. Due to unsafe handling and deletion of temporary files in versions 10.0.0 through 13.12.0, during the dictionary…
CVE-2025-27602 — CVSS 4.9 (medium): Umbraco is a free and open source .NET content management system. In versions of Umbraco's web backoffice program prior to versions 10.8.9…
CVE-2018-17256 — CVSS 4.8 (medium): Persistent cross-site scripting (XSS) vulnerability in Umbraco CMS 7.12.3 allows authenticated users to inject arbitrary web script via the…
CVE-2025-24012 — CVSS 4.6 (medium): Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2…
CVE-2024-48927 — CVSS 4.6 (medium): Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to…
CVE-2026-46609 — CVSS 4.6 (medium): Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field…
CVE-2023-48227 — CVSS 4.3 (medium): Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0…
CVE-2024-10761 — CVSS 4.3 (medium): A vulnerability was found in Umbraco CMS up to 10.7.7/12.3.6/13.5.2/14.3.1/15.1.1. It has been classified as problematic. Affected is an…
CVE-2020-29454 — CVSS 4.3 (medium): Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings…
CVE-2025-27601 — CVSS 4.3 (medium): Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco's API…
CVE-2024-43376 — CVSS 4.3 (medium): Umbraco is an ASP.NET CMS. Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode…
CVE-2023-48313 — CVSS 4.3 (medium): Umbraco is an ASP.NET content management system (CMS). Starting in 10.0.0 and prior to versions 10.8.1 and 12.3.4, Umbraco contains a…
CVE-2024-48926 — CVSS 4.2 (medium): Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch…
CVE-2024-35218 — CVSS 4.2 (medium): Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stored Cross-site scripting (XSS) enable attackers that have access to…
CVE-2024-47819 — CVSS 4.2 (medium): Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and…
CVE-2024-48929 — CVSS 4.2 (medium): Umbraco is a free and open source .NET content management system. In versions on the 13.x branch prior to 13.5.2 and versions on the 10.x…
CVE-2024-29035 — CVSS 4.1 (medium): Umbraco is an ASP.NET CMS. Failing webhooks logs are available when solution is not in debug mode. Those logs can contain information that…
CVE-2023-49279 — CVSS 3.7 (low): Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and…
CVE-2024-28868 — CVSS 3.7 (low): Umbraco is an ASP.NET content management system. Umbraco 10 prior to 10.8.4 with access to the native login screen is vulnerable to a…
CVE-2023-49274 — CVSS 3.7 (low): Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a user…
CVE-2023-38694 — CVSS 3.5 (low): Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user…
CVE-2024-48925 — CVSS 0.0 (none): Umbraco, a free and open source .NET content management system, has an improper access control issue starting in version 14.0.0 and prior…