CRITICAL10.0CVE-2025-67288Umbraco CMS has an arbitrary file upload vulnerability from 0, <= 16.3.3
HIGH8.8CVE-2025-32017Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users >= 14.0.0--preview004, < 14.3.4
HIGH7.2CVE-2026-31834Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks >= 15.3.1, < 16.5.1
MEDIUM6.7Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering
>= 16.2.0, < 16.5.1
MEDIUM5.5Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads
>= 14.0.0, < 15.4.2
MEDIUM5.4Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers
from 0, < 13.14.0
MEDIUM5.4Umbraco Backoffice API Allows Unauthorized Modification of Domain Data
>= 14.0.0, < 16.5.1
MEDIUM5.4Umbraco CMS Improper Access Control vulnerability
>= 14.0.0, < 14.1.2
MEDIUM5.3Umbraco CMS disclosure of configured password requirements
>= 10.0.0, < 10.8.11
MEDIUM5.3Umbraco Makes User Enumeration Feasible Based on Timing of Login Response
>= 11.0.0-rc1, < 13.8.1
MEDIUM5.3Umbraco Allows User Enumeration Feasible Based On Management API Timing and Response Codes
>= 14.0.0, < 14.3.2
MEDIUM4.9Umbraco Vulnerable to Improper File Access and Credential Exposure in Dictionary Import Functionality
>= 10.0.0, < 13.12.1
MEDIUM4.6Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog
>= 14.0.0, < 17.4.0
MEDIUM4.6Umbraco has a Potential Code Execution Risk When Viewing SVG Files in Full Screen in Backoffice
>= 10.0.0, < 10.8.7
MEDIUM4.3XSS/HTML Injection Vulnerability in Umbraco Preview Badge
>= 11.0.0, < 13.5.3