CVE-2026-46609
Received Received - Intake
HTML Injection in Umbraco CMS

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding. This issue has been patched in version 17.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-46609
EUVD
EUVD-2026-36070
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
umbraco cms From 14.0.0 (inc) to 17.3.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The primary mitigation step is to upgrade the Umbraco CMS to version 17.4.0 or later, where this vulnerability has been patched.

Until the upgrade can be performed, restrict access to the Umbraco backoffice to trusted authenticated users only, minimizing the risk of exploitation.

Implement additional input validation or output encoding on the application side if possible, to prevent HTML injection in confirmation dialogs.

Educate users about the risk of interacting with untrusted content and monitor logs for suspicious activity related to input fields in the backoffice.

Executive Summary

This vulnerability is a Cross-Site Scripting (XSS) issue in the Umbraco CMS backoffice, specifically in confirmation dialogs.

Authenticated users can inject HTML code into an input field, which is then rendered in the confirmation dialog without proper output encoding.

This improper handling of input allows malicious HTML or scripts to be executed in the context of the user's browser.

The vulnerability affects versions from 14.0.0 up to and including 17.3.5 and has been fixed in version 17.4.0.

Impact Analysis

This vulnerability can allow an authenticated user to execute malicious scripts in the context of another user's browser when interacting with confirmation dialogs.

The impact is moderate with a CVSS score of 4.6, requiring low attack complexity and low privileges but user interaction.

Potential impacts include limited confidentiality and integrity loss, such as stealing session information or performing actions on behalf of the user, but it does not affect availability.

Detection Guidance

This vulnerability involves authenticated users injecting HTML into an input field that is rendered in confirmation dialogs without proper output encoding. Detection would involve verifying if your Umbraco CMS version is between 14.0.0 and 17.3.5 and testing for HTML injection in confirmation dialogs within the backoffice.

Since this is a web application vulnerability (Cross-Site Scripting), detection commands would typically involve manual or automated testing tools rather than network commands.

  • Check the Umbraco CMS version by accessing the backoffice or using administrative commands to confirm the installed version.
  • Use a web proxy tool (e.g., Burp Suite or OWASP ZAP) to intercept and modify input fields in the backoffice confirmation dialogs to inject HTML or script tags and observe if they are rendered without encoding.
  • Run automated security scanners that test for Cross-Site Scripting (XSS) vulnerabilities on authenticated pages of the Umbraco backoffice.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46609. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart