PT-2025-15452 · Umbraco · Umbraco

Published

2025-04-08

Updated

2025-04-09

CVE-2025-32017

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Umbraco versions 14.0 through 14.3.3 Umbraco versions 15.0 through 15.3.0

Description: The issue allows authenticated users to the Umbraco backoffice to craft management API requests that exploit a path traversal vulnerability, enabling them to upload files into an incorrect location.

Recommendations: For Umbraco versions 14.0 through 14.3.3, update to version 14.3.4 to resolve the issue. For Umbraco versions 15.0 through 15.3.0, update to version 15.3.1 to resolve the issue. As a temporary workaround, consider restricting access to the management API to minimize the risk of exploitation.

Exploit

Fix

Path traversal

Relative Path Traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-23

Related Identifiers

BDU:2026-00060

CVE-2025-32017

GHSA-Q62R-8PPJ-XVF4

Affected Products

Umbraco

PT-2025-15452 · Umbraco · Umbraco

CVE-2025-32017

Weakness Enumeration

Related Identifiers

Affected Products

References · 11