Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering

Description An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration /.+/ in the UFM DOMPurify instance, event handler attributes such as onclick and onload, when used within...

EUVD-2026-10936

Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering...

GHSA-VRQC-59MW-QQG7 Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering

Description An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration /.+/ in the UFM DOMPurify instance, event handler attributes such as onclick and onload, when used within...

CVE-2026-31833

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration /.+/ in the UFM DOMPurify instance, event handler...

CVE-2026-31833

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration /.+/ in the UFM DOMPurify instance, event handler...

CVE-2026-31833 Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration /.+/ in the UFM DOMPurify instance, event handler...

CVE-2026-31833

Summary : CVE-2026-31833 affects Umbraco (ASP.NET CMS). From 16.2.0 up to but not including 16.5.1 and 17.2.2, an authenticated backoffice user with Settings access can inject malicious HTML into property type descriptions due to an overly permissive attributeNameCheck in the UFM DOMPurify instan...

CVE-2026-31833 Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration /.+/ in the UFM DOMPurify instance, event handler...

CVE-2026-31833 Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration /.+/ in the UFM DOMPurify instance, event handler...

PT-2026-24486

Name of the Vulnerable Software and Affected Versions Umbraco versions 16.2.0 through 16.5.0 Umbraco version 17.2.2 Description Umbraco is an ASP.NET CMS. An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. The issue stems from an...

📄 DOMPurify 3.13 Cross Site Scripting

A mutation cross site scripting vulnerability exists in DOMPurify versions 3.1.3 and below when the SAFEFORXML configuration is enabled. ============================================================================================================================================= | Title : DOMPurif...

Linux Distros Unpatched Vulnerability : CVE-2025-15599

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by...

Linux Distros Unpatched Vulnerability : CVE-2026-0540

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass...

Cross-site Scripting (XSS)

Overview dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the createDOMPurify function, via comments embedded in XML textarea attributes containing scripts. Details Cross-site scripting or XSS is a code...

@3t-transform/threeteeui (>=1.5.1 <=1.9.108), @8btc/excalidraw (>=0.18.0-beta.0 <=0.18.0-beta.4) +1236 more potentially affected by CVE-2025-15599 via dompurify (>=3.0.0 <=3.2.6)

dompurify NPM version =3.0.0, =1.5.1, =0.18.0-beta.0, =0.0.0-dev-20240828032938, =0.2.8-experimental.0, =1.2.0, =1.0.0, =4.4.0-rc1, =6.4.10, =5.1.1, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.2, =1.0.9 and more Source cves: CVE-2025-15599 Source advisory: SNYK:JS-DOMPURIFY-15371386...

Cross-site Scripting (XSS)

Overview org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the createDOMPurify function, via comments embedded in XML textarea attributes containing scripts. Details Cross-site scripting ...

org.webjars.npm:formio__core (=2.6.0), org.webjars.npm:monaco-editor (=0.54.0) potentially affected by CVE-2025-15599 via org.webjars.npm:dompurify (>=3.1.7 <=3.2.4)

org.webjars.npm:dompurify MAVEN version =3.1.7, =3.2.4 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:dompurify and may be impacted: - org.webjars.npm:formiocore =2.6.0 - org.webjars.npm:monaco-editor =0.54.0 Source cves: CVE-2025-1559...

1router (>=0.3.96 <=1.0.2), 9router-custom (=0.3.55) +1946 more potentially affected by CVE-2026-0540 via dompurify (>=3.0.0 <=3.3.1)

dompurify NPM version =3.0.0, =0.3.96, =0.3.33, =0.5.0, =1.5.1, =0.18.0-beta.0, =0.0.1, =0.1.0-alpha.1, =0.1.0, =0.1.0, =0.0.0-dev-20240828032938, =0.2.8-experimental.0, =1.2.0, =1.0.0, =4.4.0-rc1, =4.10.8-rc26 and more Source cves: CVE-2026-0540 Source advisory: SNYK:JS-DOMPURIFY-15371376...

Cross-site Scripting (XSS)

Overview dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the createDOMPurify function, via comments embedded in XML noscript, xmp, noembed, noframes, and iframe attributes containing scripts. Details...

@0xgg/echomd (>=1.0.0 <=1.0.4), @7nohe/vite-plugin-vue-marked (=0.2.1) +1082 more potentially affected by CVE-2026-0540 via dompurify (>=2.0.0 <=2.5.8)

dompurify NPM version =2.0.0, =1.0.0, =0.2.0-beta.9, =0.2.0-beta.13, =6.2.3, =6.4.3, =0.0.2, =0.3.0, =0.1.0, =0.1.0-a0, =1.0.0, =0.0.18, =1.0.0, =1.1.0 and more Source cves: CVE-2026-0540 Source advisory: SNYK:JS-DOMPURIFY-15371376...