GHSA-vr9v-27gg-qgx4

Source

https://github.com/advisories/GHSA-vr9v-27gg-qgx4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-vr9v-27gg-qgx4/GHSA-vr9v-27gg-qgx4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vr9v-27gg-qgx4

Aliases

CVE-2026-46609

Published

2026-05-21T20:43:06Z

Modified

2026-06-10T18:46:55.389617633Z

Severity

4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog

Details

Impact

Authenticated users are able to inject HTML vulnerability into an input field, which is rendered in the confirmation dialog without proper output encoding.

Patches

This issue has been patched in 17.4.0

Database specific

{
    "nvd_published_at": "2026-06-10T17:16:37Z",
    "github_reviewed_at": "2026-05-21T20:43:06Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

NuGet / Umbraco.Cms

Package

Name: Umbraco.Cms; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.Cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.0.0

Fixed

17.4.0

Affected versions

14.*

14.0.0

14.1.0-rc

14.1.0-rc2

14.1.0

14.1.1

14.1.2

14.2.0-rc

14.2.0-rc2

14.2.0-rc3

14.2.0

14.3.0-rc

14.3.0

14.3.1

14.3.2

14.3.3

14.3.4

15.*

15.0.0-rc1

15.0.0-rc2

15.0.0-rc3

15.0.0-rc4

15.0.0

15.1.0-rc

15.1.0-rc2

15.1.0

15.1.1

15.1.2

15.2.0-rc

15.2.0

15.2.1

15.2.2

15.2.3

15.3.0-rc

15.3.0-rc2

15.3.0

15.3.1

15.4.0-rc

15.4.0-rc2

15.4.0

15.4.1

15.4.2

15.4.3

15.4.4

16.*

16.0.0-rc

16.0.0-rc2

16.0.0-rc3

16.0.0-rc4

16.0.0-rc5

16.0.0-rc6

16.0.0

16.1.0-rc

16.1.0

16.1.1

16.2.0-rc

16.2.0-rc2

16.2.0

16.3.0-rc

16.3.0-rc2

16.3.0-rc3

16.3.0-rc4

16.3.0

16.3.1

16.3.2

16.3.3

16.3.4

16.4.0-rc

16.4.0-rc2

16.4.0

16.4.1

16.5.0-rc

16.5.0

16.5.1

17.*

17.0.0-beta

17.0.0-rc1

17.0.0-rc2

17.0.0-rc3

17.0.0-rc4

17.0.0

17.0.1

17.0.2

17.1.0-rc

17.1.0

17.2.0-rc

17.2.0-rc2

17.2.0

17.2.1

17.2.2

17.3.0-rc

17.3.0-rc2

17.3.0-rc3

17.3.0

17.3.1

17.3.2

17.3.3

17.3.4

17.3.5

17.4.0-rc

17.4.0-rc2

17.4.0-rc3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-vr9v-27gg-qgx4/GHSA-vr9v-27gg-qgx4.json"

last_known_affected_version_range

"<= 17.3.5"