CVE-2026-31833

CVSS v3.1

6.7

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Name of the Vulnerable Software and Affected Versions Umbraco versions 16.2.0 through 16.5.0 Umbraco version 17.2.2

Description Umbraco is an ASP.NET CMS. An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. The issue stems from an overly permissive attributeNameCheck configuration (/.+/) within the UFM DOMPurify instance, which failed to filter event handler attributes like onclick and onload when used within Umbraco web components (umb-, uui-, ufm-*). This allows for the injection of malicious HTML.

Recommendations Update to Umbraco version 16.5.1 or later. Update to Umbraco version 17.2.2 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2026-31833

GHSA-VRQC-59MW-QQG7

Affected Products

Umbraco

CVE-2026-31833

Weakness Enumeration

Related Identifiers

Affected Products

References · 9