Description
Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding. This issue has been patched in version 17.4.0.
Published: 2026-06-10
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Authenticated users in Umbraco 14.0.0 up to just before 17.4.0 can inject arbitrary HTML into an input field that is subsequently rendered in the backoffice confirmation dialog without proper output encoding. This flaw allows an attacker to execute malicious scripts in the context of any user who views the dialog, potentially leading to session hijacking, data theft, or defacement. The security impact is limited to the browser session of the abused user but can affect all users who trigger the dialog.

Affected Systems

The vulnerable component is the Umbraco CMS backoffice, affecting all releases from version 14.0.0 through the last minor release before 17.4.0. The fix was incorporated in version 17.4.0 and later.

Risk and Exploitability

The CVSS score of 4.6 indicates a medium impact, and the exploit requires the attacker to be an authenticated backoffice user, which reduces its likelihood to insider or credential‑compromise scenarios. EPSS is not available, and the vulnerability is not listed in CISA KEV, suggesting no large‑scale exploitation campaigns have been observed. Still, the potential for user‑browsing attacks warrants prompt mitigation wherever feasible.

Generated by OpenCVE AI on June 10, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Umbraco CMS to 17.4.0 or later to apply the official fix
  • If an upgrade is delayed, restrict the roles that can edit the affected field and enforce server‑side filtering that strips HTML markup before storage
  • Configure a web‑application firewall or modify the backoffice template to encode or escape the value before it is inserted into the confirmation dialog

Generated by OpenCVE AI on June 10, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vr9v-27gg-qgx4 Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog
History

Wed, 10 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Umbraco
Umbraco cms
Vendors & Products Umbraco
Umbraco cms

Wed, 10 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding. This issue has been patched in version 17.4.0.
Title Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Umbraco Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T18:08:11.096Z

Reserved: 2026-05-15T19:34:14.011Z

Link: CVE-2026-46609

cve-icon Vulnrichment

Updated: 2026-06-10T18:08:07.131Z

cve-icon NVD

Status : Received

Published: 2026-06-10T17:16:37.123

Modified: 2026-06-10T17:16:37.123

Link: CVE-2026-46609

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T18:30:36Z

Weaknesses