CVE-2021-47776

MEDIUM

Umbraco CMS 8.14.1 - Server-Side Request Forgery via Dashboard and Help Controller Endpoints

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47776. PoCs published by NgoAnhDuc.

AI-analyzed exploit summary This exploit demonstrates a Server-Side Request Forgery (SSRF) vulnerability in Umbraco CMS v8.14.1. It leverages the 'baseUrl' parameter in three different API endpoints to force the server to make arbitrary HTTP requests.

Description

Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent, and GetRemoteDashboardCss endpoints to trigger unauthorized server-side requests to external hosts.

Exploits (1)

exploitdb WORKING POC

by NgoAnhDuc · textwebappsaspx

https://www.exploit-db.com/exploits/50462

View Code ZIP pw:eip

This exploit demonstrates a Server-Side Request Forgery (SSRF) vulnerability in Umbraco CMS v8.14.1. It leverages the 'baseUrl' parameter in three different API endpoints to force the server to make arbitrary HTTP requests.

Classification

Working Poc 90%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Umbraco CMS v8.14.1

No auth needed

Prerequisites: Access to the Umbraco CMS instance

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, VDB Entry exploit

https://www.exploit-db.com/exploits/50462

Product product

https://our.umbraco.com/

Release Notes product

https://releases.umbraco.com/all-releases

Scores

CVSS v3 5.3

EPSS 0.0001

EPSS Percentile 2.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (3)

nuget/UmbracoCms NuGet

umbraco/Umbraco 8.14.1

umbraco/umbraco_cms 8.14.1

Published Jan 15, 2026

Tracked Since Feb 18, 2026