Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location.
The issue affects Umbraco 14+ and is patched in 14.3.4 and 15.3.1.
Umbraco supports the configuration of allowed and disallowed file extensions. Using these options to allow only necessary file extensions significantly reduces the scope of the vulnerability.
{ "nvd_published_at": "2025-04-08T16:15:27Z", "cwe_ids": [ "CWE-22", "CWE-23" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-04-09T12:49:38Z" }