CVE-2026-46609
Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog
CVSS Score
4.6
EPSS Score
0.0%
EPSS Percentile
0th
Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding. This issue has been patched in version 17.4.0.
| CWE | CWE-79 |
| Vendor | umbraco |
| Product | umbraco-cms |
| Published | Jun 10, 2026 |
| Last Updated | Jun 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for umbraco umbraco-cms
Be the first to know when new medium vulnerabilities affecting umbraco umbraco-cms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
umbraco / Umbraco-CMS
>= 14.0.0, < 17.4.0