Security Advisory

CVE-2026-31833

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-10 21:51:51
Last updated 2026-03-11 15:58:47
Assigner GitHub_M
State PUBLISHED

Description

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration (/.+/) in the UFM DOMPurify instance, event handler attributes such as onclick and onload, when used within Umbraco web components (umb-*, uui-*, ufm-*) were not filtered. This vulnerability is fixed in 16.5.1 and 17.2.2.