Cross-site scripting in Umbraco CMS - CVE-2026-31833
Published: May 5, 2026
Vulnerability identifier: #VU130188
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-31833
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Umbraco
Affected software:
Umbraco CMS
Umbraco CMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in other backoffice users' browsers.
The vulnerability exists due to cross-site scripting in the UFM rendering pipeline when rendering property type descriptions containing malicious HTML. A remote privileged user can inject event handler attributes into supported web components to execute arbitrary script in other backoffice users' browsers.
Only backoffice users with access to Settings can exploit this issue, and the injected payload is stored in property type descriptions.
How to mitigate CVE-2026-31833
Install security update from vendor's website.