CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

15 matches found

Snyk•added 2026/03/11 12:37 a.m.•2 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via a backpoffice API endpoint. An attacker can modify domain-related data on content nodes without proper authorization by making crafted API calls as an authenticated user, even when...

5.4CVSS5.8AI score0.00056EPSS

Exploits0References2

OSV•added 2026/03/11 12:24 a.m.•0 views

GHSA-FPVF-FVP5-996R Umbraco Backoffice API Allows Unauthorized Modification of Domain Data

Description A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue is caused by insufficient authorization enforcement on the affected API...

5.4CVSS5.8AI score0.00056EPSS

Exploits0References3

NVD•added 2026/03/10 10:16 p.m.•2 views

CVE-2026-31832

Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue is caused by...

5.4CVSS0.00056EPSS

Exploits0References1

Cvelist•added 2026/03/10 9:49 p.m.•27 views

CVE-2026-31832 Umbraco Backoffice API Allows Unauthorized Modification of Domain Data

5.4CVSS0.00056EPSS

Exploits0References1

ATTACKERKB•added 2026/03/10 9:49 p.m.•2 views

CVE-2026-31832

5.4CVSS5.8AI score0.00056EPSS

Exploits0References2Affected Software1

CVE•added 2026/03/10 9:49 p.m.•5 views

CVE-2026-31832

Umbraco (ASP.NET CMS) has a broken object-level authorization vulnerability in backoffice API endpoints affecting 14.0.0–before 16.5.1 and 17.2.2. An authenticated user can assign domain-related data to content nodes without proper authorization checks due to insufficient enforcement on the affec...

5.4CVSS5.8AI score0.00056EPSS

Exploits0References1Affected Software1

Veracode•added 2025/03/17 5:1 p.m.•11 views

Incorrect Authorization

Umbraco.Cms.Web.Backoffice is vulnerable to Incorrect Authorization. The vulnerability is due to improper access control due to manipulation of backoffice API URLs, allowing authenticated users to retrieve or delete restricted content...

6.4CVSS6.6AI score0.00195EPSS

Exploits0References5Affected Software1

RedhatCVE•added 2025/03/14 9:8 a.m.•9 views

CVE-2025-27602

Umbraco is a free and open source .NET content management system. In versions of Umbraco's web backoffice program prior to versions 10.8.9 and 13.7.1, via manipulation of backoffice API URLs, it's possible for authenticated backoffice users to retrieve or delete content or media held within folde...

6.4CVSS6.5AI score0.00195EPSS

Exploits0References1

OSV•added 2025/03/11 3:32 p.m.•7 views

CVE-2025-27602 Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content

4.9CVSS6.2AI score0.00195EPSS

Exploits0References5

Vulnrichment•added 2025/03/11 3:32 p.m.•9 views

CVE-2025-27602 Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content

4.9CVSS5AI score0.00195EPSS

Exploits0References3

Github Security Blog•added 2025/03/11 3:27 p.m.•25 views

Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content

Impact Via manipulation of backoffice API URLs it's possible for authenticated backoffice users to retrieve or delete content or media held within folders the editor does not have access to. Patches Will be patched in 10.8.9 and 13.7.1 Workarounds None available...

6.4CVSS6.6AI score0.00195EPSS

Exploits0References5Affected Software1

OSV•added 2025/03/11 3:27 p.m.•7 views

GHSA-WX5H-WQFQ-V698 Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content

4.9CVSS6.6AI score0.00195EPSS

Exploits0References5