Primary

Context

Umbraco DOMPurify Misconfiguration Leads to Stored Cross-Site Scripting Vulnerability

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in Umbraco CMS versions 16.2.0 prior to 16.5.1 and 17.2.2. This issue allows authenticated backoffice users with access to the Settings section to inject malicious HTML into property type descriptions. The vulnerability arises from an overly permissive attribute name check in the UFM DOMPurify instance, which failed to properly filter event handler attributes like 'onclick' and 'onload' when used within specific Umbraco web components. As a result, injected event handlers are executed in the backoffice interface, potentially affecting other users.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the property type description.

Remediation

Users can upgrade to Umbraco versions 16.5.1 or 17.2.2 to address this vulnerability.

Added: Mar 10, 2026, 10:19 PM

Updated: Mar 10, 2026, 10:19 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

5.4

exploitability

5.2

remediation

7.7

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

5.4

exploitability

5.2

remediation

7.7

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Umbraco DOMPurify Misconfiguration Leads to Stored Cross-Site Scripting Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Umbraco

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating