CVE-2026-46609

Published: Jun 10, 2026Modified: Jun 12, 2026

4.6

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Exploitability: 2.1 / Impact: 2.5

Source: security-advisories@github.com (Secondary)

Description

Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding. This issue has been patched in version 17.4.0.

Affected (1)

Products: Umbraco: Umbraco Cms

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Umbraco Umbraco Cms	From 14.0.0 to 17.4.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (1)

https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-vr9v-27gg-qgx4

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.