GHSA-vr9v-27gg-qgx4MediumCVSS 4.6

Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog

Published
May 21, 2026
Last Modified
May 21, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

Authenticated users are able to inject HTML vulnerability into an input field, which is rendered in the confirmation dialog without proper output encoding.

Patches

This issue has been patched in 17.4.0

🎯 Affected products1

  • nuget/Umbraco.Cms:>= 14.0.0, <= 17.3.5

🔗 References (2)