What is GHSA-vr9v-27gg-qgx4?

GHSA-vr9v-27gg-qgx4 is a security advisory published by GitHub Security Advisories with Medium severity. Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog

Which CVE IDs does GHSA-vr9v-27gg-qgx4 cover?

GHSA-vr9v-27gg-qgx4 covers the following CVE IDs: CVE-2026-46609. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-vr9v-27gg-qgx4?

GHSA-vr9v-27gg-qgx4 has a CVSS v3 base score of 4.6, published by GitHub Security Advisories.

Which products are affected by GHSA-vr9v-27gg-qgx4?

GHSA-vr9v-27gg-qgx4 affects 1 product, including: nuget/Umbraco.Cms:\u003e= 14.0.0, \u003c= 17.3.5.

GHSA-vr9v-27gg-qgx4MediumCVSS 4.6

Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog

Vendor

GitHub Security Advisories

Published

May 21, 2026

Last Modified

May 21, 2026

🔗 CVE IDs covered (1)

CVE-2026-46609 →

📋 Description

### Impact Authenticated users are able to inject HTML vulnerability into an input field, which is rendered in the confirmation dialog without proper output encoding. ### Patches This issue has been patched in 17.4.0

🎯 Affected products1

nuget/Umbraco.Cms:>= 14.0.0, <= 17.3.5

🔗 References (2)

https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-vr9v-27gg-qgx4
https://github.com/advisories/GHSA-vr9v-27gg-qgx4