Main Vulnerability Database Vulnerabilities #VU131595

Cross-site scripting in Umbraco CMS - CVE-2026-46609

Published: May 16, 2026

Vulnerability identifier: #VU131595

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-46609

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Umbraco

Affected software:
Umbraco CMS

Detailed vulnerability description

The vulnerability allows a remote user to inject arbitrary HTML or script content.

The vulnerability exists due to cross-site scripting in the backoffice confirmation dialog when rendering user-supplied input. A remote user can inject crafted content into an input field to inject arbitrary HTML or script content.

User interaction is required to render the crafted content in the confirmation dialog.

How to mitigate CVE-2026-46609

Install security update from vendor's website.

Sources

https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-vr9v-27gg-qgx4

Cross-site scripting in Umbraco CMS - CVE-2026-46609

Detailed vulnerability description

How to mitigate CVE-2026-46609

Sources

Please verify you're human