CVE-2026-31833
MEDIUMUmbraco.Cms 16.2.0-16.5.1 and 17.0.0-17.2.1 - Authenticated Stored Cross-Site Scripting via Property Type Description
Title source: llmDescription
Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration (/.+/) in the UFM DOMPurify instance, event handler attributes such as onclick and onload, when used within Umbraco web components (umb-*, uui-*, ufm-*) were not filtered. This vulnerability is fixed in 16.5.1 and 17.2.2.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-vrqc-59mw-qqg7
Scores
CVSS v3
6.7
EPSS
0.0007
EPSS Percentile
20.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (4)
nuget/Umbraco.Cms
16.2.0 - 16.5.1NuGet
umbraco/Umbraco-CMS
>= 16.2.0, < 16.5.1
umbraco/Umbraco-CMS
>= 17.0.0, < 17.2.1
umbraco/umbraco_cms
16.2.0 - 16.5.1
Published
Mar 10, 2026
Tracked Since
Mar 11, 2026