Lucene search
K

343 matches found

Snyk
Snyk
added 2026/03/11 12:37 a.m.9 views

Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management due to insufficient authorization enforcement when modifying user group memberships. An attacker can gain higher-level privileges by assigning highly privileged roles without proper validation of their own...

8.6CVSS5.8AI score0.00257EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/11 12:37 a.m.7 views

Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management due to insufficient authorization enforcement when modifying user group memberships. An attacker can gain higher-level privileges by assigning highly privileged roles without proper validation of their own...

8.6CVSS5.8AI score0.00257EPSS
Exploits0References2
OSV
OSV
added 2026/03/11 12:24 a.m.5 views

GHSA-FPVF-FVP5-996R Umbraco Backoffice API Allows Unauthorized Modification of Domain Data

Description A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue is caused by insufficient authorization enforcement on the affected API...

5.4CVSS5.8AI score0.00179EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/11 12:24 a.m.7 views

Umbraco Backoffice API Allows Unauthorized Modification of Domain Data

Description A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue is caused by insufficient authorization enforcement on the affected API...

5.4CVSS5.8AI score0.00179EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/03/11 12:24 a.m.6 views

EUVD-2026-10935

Umbraco Backoffice API Allows Unauthorized Modification of Domain Data...

5.4CVSS5.8AI score0.00179EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/11 12:24 a.m.5 views

EUVD-2026-10934

Umbraco Backoffice API Allows Unauthorized Modification of Domain Data...

5.4CVSS5.8AI score0.00179EPSS
Exploits0References1
NVD
NVD
added 2026/03/10 10:16 p.m.7 views

CVE-2026-31832

Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue is caused by...

5.4CVSS0.00179EPSS
Exploits0References1
NVD
NVD
added 2026/03/10 10:16 p.m.5 views

CVE-2026-31833

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration /.+/ in the UFM DOMPurify instance, event handler...

6.7CVSS0.0026EPSS
Exploits0References1
NVD
NVD
added 2026/03/10 10:16 p.m.6 views

CVE-2026-31834

Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient...

7.2CVSS0.00257EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/10 9:53 p.m.30 views

CVE-2026-31834 Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks

Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient...

7.2CVSS0.00257EPSS
Exploits0References1
OSV
OSV
added 2026/03/10 9:53 p.m.6 views

CVE-2026-31834 Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks

Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient...

7.2CVSS5.7AI score0.00257EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/10 9:53 p.m.3 views

CVE-2026-31834 Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks

Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient...

7.2CVSS5.7AI score0.00257EPSS
Exploits0References1
CVE
CVE
added 2026/03/10 9:53 p.m.16 views

CVE-2026-31834

Umbraco CMS (ASP.NET) versions affected: 15.3.1 up to before 16.5.1 and 17.2.2. A privilege escalation vulnerability exists where authenticated backoffice users with permission to manage users may elevate privileges during modification of user group memberships due to insufficient authorization c...

7.2CVSS5.7AI score0.00257EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/10 9:53 p.m.2 views

CVE-2026-31834

Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient...

7.2CVSS5.7AI score0.00257EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/03/10 9:51 p.m.32 views

CVE-2026-31833 Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration /.+/ in the UFM DOMPurify instance, event handler...

6.7CVSS0.0026EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/10 9:51 p.m.3 views

CVE-2026-31833

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration /.+/ in the UFM DOMPurify instance, event handler...

6.7CVSS5.8AI score0.0026EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/03/10 9:51 p.m.16 views

CVE-2026-31833

Summary : CVE-2026-31833 affects Umbraco (ASP.NET CMS). From 16.2.0 up to but not including 16.5.1 and 17.2.2, an authenticated backoffice user with Settings access can inject malicious HTML into property type descriptions due to an overly permissive attributeNameCheck in the UFM DOMPurify instan...

6.7CVSS5.8AI score0.0026EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/10 9:51 p.m.2 views

CVE-2026-31833 Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration /.+/ in the UFM DOMPurify instance, event handler...

6.7CVSS5.8AI score0.0026EPSS
Exploits0References1
OSV
OSV
added 2026/03/10 9:51 p.m.4 views

CVE-2026-31833 Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration /.+/ in the UFM DOMPurify instance, event handler...

6.7CVSS5.8AI score0.0026EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/10 9:49 p.m.33 views

CVE-2026-31832 Umbraco Backoffice API Allows Unauthorized Modification of Domain Data

Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue is caused by...

5.4CVSS0.00179EPSS
Exploits0References1
Rows per page
Query Builder