Description
Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration (/.+/) in the UFM DOMPurify instance, event handler attributes such as onclick and onload, when used within Umbraco web components (umb-*, uui-*, ufm-*) were not filtered. This vulnerability is fixed in 16.5.1 and 17.2.2.
Published: 2026-03-10
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

A permissive configuration in the UFM DOMPurify instance allowed event‑handler attributes such as onclick and onload to bypass sanitization. An authenticated back‑office user with access to Settings can inject malicious HTML into property‑type descriptions, enabling the execution of arbitrary JavaScript in users’ browsers when the affected CMS loads the web components (umb‑*, uui‑*, ufm‑*). This flaw falls under CWE‑79 and can compromise the confidentiality and integrity of data processed by the application, as well as the user experience for unsuspecting end users.

Affected Systems

Affected systems include Umbraco CMS versions from 16.2.0 up to, but not including, 16.5.1. The vulnerability is not present in 17.2.2. The vulnerability is present in the UFM rendering pipeline and specifically impacts the attribute filtering of DOMPurify. Users should verify that their installed version is at least 16.5.1 or 17.2.2 to ensure the issue has been fixed.

Risk and Exploitability

The CVSS score for this vulnerability is 6.7, indicating a moderate severity. The EPSS score is less than 1 %, suggesting a low probability of exploitation in the general population. It is not listed in the CISA KEV catalog. The attack vector requires an authenticated user with back‑office Settings access, and the flaw can be exploited by injecting crafted HTML that preserves event‑handler attributes, leading to living cross‑site script attacks in the front‑end of the site.

Generated by OpenCVE AI on April 16, 2026 at 09:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Umbraco CMS to version 16.5.1 or later, or 17.2.2 or later, to apply the vendor‑supplied fix
  • If an upgrade is not immediately possible, reconfigure the UFM DOMPurify instance by restricting the attributeNameCheck pattern to disallow event‑handler attributes such as onclick and onload
  • Limit back‑office user permissions so that only trusted administrators have Settings access to reduce the attack surface

Generated by OpenCVE AI on April 16, 2026 at 09:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vrqc-59mw-qqg7 Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering
History

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Umbraco umbraco Cms
CPEs cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*
Vendors & Products Umbraco umbraco Cms

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Umbraco
Umbraco cms
Vendors & Products Umbraco
Umbraco cms

Tue, 10 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration (/.+/) in the UFM DOMPurify instance, event handler attributes such as onclick and onload, when used within Umbraco web components (umb-*, uui-*, ufm-*) were not filtered. This vulnerability is fixed in 16.5.1 and 17.2.2.
Title Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Umbraco Cms Umbraco Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T15:58:47.606Z

Reserved: 2026-03-09T17:41:56.077Z

Link: CVE-2026-31833

cve-icon Vulnrichment

Updated: 2026-03-11T15:52:32.401Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T22:16:21.410

Modified: 2026-03-18T20:01:24.743

Link: CVE-2026-31833

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:30:06Z

Weaknesses