MEDIUM 4.6

CVE-2026-46609: Umbraco CMS XSS Vulnerability in Confirmation Dialog (v14–v17.3)

Umbraco CMS versions 14.0.0 through 17.3.x contain a stored cross-site scripting (XSS) vulnerability in a confirmation dialog. Authenticated users can inject malicious HTML into an input field that gets rendered without proper encoding, allowing attackers to execute arbitrary JavaScript in the context of other users' browsers. This requires an attacker to have valid credentials and typically requires user interaction to trigger the payload.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.6 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding. This issue has been patched in version 17.4.0.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46609 is a reflected/stored cross-site scripting vulnerability in Umbraco CMS affecting versions 14.0.0 through 17.3.x. The vulnerability exists in a confirmation dialog that accepts user input but fails to properly HTML-encode output before rendering. An authenticated attacker can inject malicious HTML and JavaScript through an input field. When a victim user views the confirmation dialog containing the injected payload, the malicious script executes in their browser with their session privileges. The flaw stems from a missing or insufficient output encoding mechanism (CWE-79). Mitigation requires upgrading to version 17.4.0 or later.

Business impact

This vulnerability allows authenticated attackers to compromise account security and steal sensitive information from other users. Potential impacts include unauthorized data access, session hijacking, privilege escalation within the CMS, and malware distribution to website visitors. Since this requires valid credentials, the risk is primarily internal—compromised accounts, disgruntled staff, or accounts obtained through credential leaks pose the main threat. Websites using vulnerable Umbraco instances as their content management backend could suffer defacement, malicious content injection, or visitor compromise.

Affected systems

Umbraco CMS versions 14.0.0 through 17.3.x are vulnerable. Version 17.4.0 and later include the fix. Verify your installed version in the Umbraco dashboard (Settings > About). Administrators should check all Umbraco installations across their infrastructure, particularly those with public-facing backends or high-risk user populations.

Exploitability

Exploitability is straightforward for attackers who possess valid Umbraco credentials. No elevated privileges are required—any authenticated user can inject the payload. However, the attack requires victim interaction to view the confirmation dialog containing the malicious HTML. The attack vector is network-based with low attack complexity. The CVSS score of 4.6 (MEDIUM) reflects these constraints: authentication requirement and user interaction dependency limit severity, but successful exploitation does enable information disclosure and integrity compromise.

Remediation

Apply Umbraco CMS version 17.4.0 or later immediately. Review your patch management process to ensure timely updates are applied to all Umbraco instances. Additionally, restrict CMS backend access to trusted IP ranges and enforce strong authentication (multi-factor authentication strongly recommended) to limit exposure to credential-based attacks. Consider auditing CMS user accounts and access logs for any suspicious activity.

Patch guidance

Upgrade all Umbraco CMS instances to version 17.4.0 or later. Consult the official Umbraco release notes and vendor advisory for version-specific upgrade instructions, database migration requirements, and compatibility notes. Test patches in a staging environment before production deployment. For organizations unable to patch immediately, implement compensating controls such as web application firewall rules to detect and block common XSS payloads in Umbraco form submissions.

Detection guidance

Monitor Umbraco application logs and HTTP traffic for suspicious input patterns, particularly in confirmation dialog parameters or form fields known to feed the vulnerable code path. Look for HTML tags (<, >, script, iframe, onerror, onload) in user input that should be plain text. Web application firewalls and intrusion detection systems can detect XSS attempts if properly tuned for Umbraco-specific attack surfaces. Enable detailed logging on CMS authentication and user actions to correlate XSS attempts with specific user accounts. Check recent backups and logs for evidence of prior exploitation.

Why prioritize this

Although CVSS assigns this a MEDIUM severity score, prioritize patching based on your Umbraco exposure and user account security posture. Organizations with high-value content, strict compliance requirements, or numerous CMS editors should treat this as higher priority. The requirement for valid credentials reduces immediate external risk, but compromised or insider accounts make this a credible threat. If you maintain public-facing Umbraco instances, prioritize upgrades to prevent content injection and visitor compromise.

Risk score, explained

The CVSS v3.1 score of 4.6 reflects the following factors: the vulnerability requires authentication (lowers score), user interaction is needed to trigger execution (lowers score), and the attack is network-based with low complexity (typical for web flaws). The impact scope is unchanged (single user affected), with modest confidentiality and integrity impact (accessing/modifying limited data within the user's session). The lack of availability impact (no denial of service) further constrains the score. The KEV program has not added this to its catalog, indicating it is not yet publicly exploited.

Frequently asked questions

What versions of Umbraco are vulnerable?

Umbraco CMS versions 14.0.0 through 17.3.x. Version 17.4.0 and all later versions include the fix. If you are running version 14 or 15, or any version before 17.4.0, you are vulnerable.

Do I need admin rights to exploit this vulnerability?

No. Any authenticated Umbraco user—including content editors, backoffice users with minimal permissions, or contributors—can inject the malicious HTML. You do not need administrative credentials to trigger the vulnerability.

How can I check if my Umbraco instance has been compromised?

Review Umbraco audit logs and backoffice access logs for suspicious user activity or unexpected content changes. Check for injected JavaScript or HTML tags in content items or configuration. Look for sessions from unfamiliar IP addresses or unusual activity timing. Consider running a security scan of your website to identify injected scripts.

Is upgrading to 17.4.0 sufficient, or do I need to do anything else?

Upgrading to 17.4.0 or later eliminates the vulnerability itself. However, review your CMS user access controls, enforce strong passwords, enable multi-factor authentication for CMS users, and audit existing accounts. If a compromise is suspected, reset all user passwords and review recent content changes.

This analysis is provided for informational and educational purposes. It does not constitute professional security advice. Organizations should verify all vulnerability details, patch availability, and compatibility against official vendor advisories and their own infrastructure. Testing should be conducted in isolated environments before production deployment. SEC.co and its authors assume no liability for decisions made based on this analysis. Always consult your vendor's official security bulletin and conduct independent validation of affected systems. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).