CVE-2025-67288
CRITICALUmbraco CMS 16.3.3 - Arbitrary File Upload via Crafted PDF File
Title source: llmDescription
An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system administrator who is implementing Umbraco CMS in their environment, not to Umbraco CMS itself, a related issue to CVE-2023-49279.
References (2)
Core 2
Core References
Product
http://umbraco.com
Third Party Advisory
https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67288
Scores
CVSS v3
10.0
EPSS
0.0050
EPSS Percentile
39.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (2)
nuget/Umbraco.Cms
0NuGet
umbraco/umbraco_cms
16.3.3
Published
Dec 22, 2025
Tracked Since
Feb 18, 2026