CVE Catalog

CVE-2026-46616

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

9th percentile — higher than 9% of all known CVEs

Summary

Umbraco is an ASP.NET CMS. Prior to versions 13.14.0 and 17.4.0, some Surface Controllers in the CMS fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks.

Risk Assessment

The lack of validation for redirect URLs may lead to unauthorized redirection of users to malicious sites, posing a risk of data theft or malware infection.

Recommendation

It is recommended to update Umbraco to versions 13.14.0 or 17.4.0 to mitigate this vulnerability and implement additional validation mechanisms for redirect URLs.

Original NVD description (English source)

Umbraco is an ASP.NET CMS. Prior to versions 13.14.0 and 17.4.0, some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks. This issue has been patched in versions 13.14.0 and 17.4.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS