Umbraco CMS, Open Redirect in Surface Controllers, CVE-2025-47874 (Medium)

Listen to this Post

The vulnerability arises because the `Umbraco.Cms` package fails to validate certain redirect URLs, specifically within specific Surface Controllers (such as UmbLoginStatusController, UmbProfileController, and UmbRegisterController) that handle member-related operations. The affected Surface Controller endpoints directly accept user input for the `RedirectUrl` parameter without performing proper validation on its destination. An attacker can exploit this by crafting a login, profile update, or registration request that contains a malicious redirect URL. When an unsuspecting victim interacts with the form, the application redirects the victim to the attacker-controlled website, a classic open redirect scenario.
Platform: Umbraco CMS
Version: <13.14.0, 17.0.0-17.3.5
Vulnerability: Open Redirect
Severity: Moderate
Date: May 21, 2026

Prediction: Patch by May 21, 2026

What Undercode Say:

Analytics show open redirect attacks often used for phishing and social engineering. Monitor your Umbraco application logs for suspicious redirects using the following shell command:

grep -E "RedirectUrl=https?://" /var/log/umbraco/UmbracoTraceLog.

How Exploit:

Exploit this vulnerability by luring a victim to a crafted URL that includes a malicious redirect target:
`https://target.com/login?redirectUrl=https://evil.com`

Protection from this CVE

  • Immediately upgrade Umbraco CMS to versions 13.14.0 or 17.4.0 or later.
  • If unable to upgrade immediately, manually validate all redirect URLs by setting a concrete, trusted URL in your Razor forms.

Impact:

  • Phishing Attacks: Redirect users to malicious sites designed to steal credentials.
  • Reputation Damage: Trusted domain is abused to host malicious content.
  • Security Bypass: Open redirects can be chained with other vulnerabilities to escalate attacks.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top