Main Vulnerability Database SB2026051609

SB2026051609 - Multiple vulnerabilities in Umbraco CMS

Published: May 16, 2026 Updated: May 16, 2026

Security Bulletin ID SB2026051609

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 vulnerabilities.

1) Open redirect (CVE-ID: CVE-2026-46616)

The vulnerability allows a remote attacker to redirect users to an arbitrary site.

The vulnerability exists due to improper input validation in Surface Controllers when handling member-related form submissions that use a user-controlled RedirectUrl query parameter. A remote attacker can supply a crafted redirect URL to redirect users to an arbitrary site.

User interaction is required to follow the malicious redirect.

2) Cross-site scripting (CVE-ID: CVE-2026-46609)

The vulnerability allows a remote user to inject arbitrary HTML or script content.

The vulnerability exists due to cross-site scripting in the backoffice confirmation dialog when rendering user-supplied input. A remote user can inject crafted content into an input field to inject arbitrary HTML or script content.

User interaction is required to render the crafted content in the confirmation dialog.

Remediation

Install update from vendor's website.

SB2026051609 - Multiple vulnerabilities in Umbraco CMS

Breakdown by Severity

Description

Remediation

References

Please verify you're human