CVE-2026-31833 Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration /.+/ in the UFM DOMPurify instance, event handler...

PT-2025-5259 · Umbraco · Umbraco

Name of the Vulnerable Software and Affected Versions: Umbraco versions 14.0.0 through 14.3.1 Umbraco versions 15.0.0 through 15.1.1 Description: The issue allows authenticated users to exploit a cross-site scripting vulnerability when viewing certain localized backoffice components...

PT-2024-25682 · Umbraco · Umbraco

Name of the Vulnerable Software and Affected Versions: Umbraco versions 8.18.5 through 8.18.13 Umbraco versions 10.5.0 through 10.8.5 Umbraco versions 12.0.0 through 12.3.9 Umbraco versions 13.0.0 through 13.3.0 Description: Umbraco is an ASP.NET CMS used by more than 730,000 websites. It has an...