CVE-2026-46609
MediumCVSS 4.6Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
Umbraco is an ASP.NET CMS. Authenticated users can inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding.
Risk Assessment
An attacker could exploit this vulnerability to inject malicious code, potentially leading to XSS attacks and compromising user data security.
Recommendation
It is recommended to upgrade to version 17.4.0 or later to mitigate this vulnerability.
Original NVD description (English source)
Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding. This issue has been patched in version 17.4.0.

