CVE-2026-31833 Umbraco — Exploit & Vulnerability Details MEDIUM

CVE-2026-31833

MEDIUM CVSS 3.1: 6.7 EPSS 0.04%

Parameter	Value
CVSS	6.7 (MEDIUM)
Affected Versions	before 16.5.1
Fixed In	16.5.1
Type	CWE-79 (Cross-Site Scripting (XSS))
Vendor	Umbraco
Public PoC	No

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration (/.+/) in the UFM DOMPurify instance, event handler attributes such as onclick and onload, when used within Umbraco web components (umb-*, uui-*, ufm-*) were not filtered.

This vulnerability is fixed in 16.5.1 and 17.2.2.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Privileges Required

High

Admin privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

Low

Partial disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

References 1

https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-vrqc-59mw-qqg7

security-advisories@github.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-31834

Umbraco

7.2

CVE-2026-31832

Umbraco

5.4

Menu

CVE-2026-31833

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 1

Related Vulnerabilities

CVE-2026-31834

CVE-2026-31832

CVE Details

Editor's Choice

Menu

CVE-2026-31833

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 1

Related Vulnerabilities

CVE-2026-31834

CVE-2026-31832

CVE Details

Editor's Choice

Stay informed on cybersecurity