CVE Catalog

CVE-2026-46609

MediumCVSS 4.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

9th percentile — higher than 9% of all known CVEs

Summary

Umbraco is an ASP.NET CMS. Authenticated users can inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding.

Risk Assessment

An attacker could exploit this vulnerability to inject malicious code, potentially leading to XSS attacks and compromising user data security.

Recommendation

It is recommended to upgrade to version 17.4.0 or later to mitigate this vulnerability.

Original NVD description (English source)

Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding. This issue has been patched in version 17.4.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS