PatchSiren cyber security CVE debrief
CVE-2026-46609 umbraco CVE debrief
CVE-2026-46609 is a MEDIUM severity vulnerability in Umbraco CMS. From version 14.0.0 to before version 17.4.0, authenticated users can inject HTML into an input field. This injected HTML is then rendered in the confirmation dialog without proper output encoding. The vulnerability has been patched in version 17.4.0.
- Vendor
- umbraco
- Product
- Umbraco-CMS
- CVSS
- MEDIUM 4.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-12
Who should care
Users of Umbraco CMS, particularly those using versions between 14.0.0 and 17.4.0 (exclusive), should be aware of this vulnerability. Successful exploitation requires authentication and user interaction.
Technical summary
The vulnerability exists in Umbraco CMS versions from 14.0.0 to before 17.4.0. Authenticated users can inject HTML into an input field, which is then rendered in the confirmation dialog without proper encoding. The CVSS score for this vulnerability is 4.6, indicating a MEDIUM severity.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Umbraco CMS version 17.4.0 or later.
- Ensure that user input is properly encoded before rendering in dialogs.
Evidence notes
CVE-2026-46609 has been analyzed and verified by official sources.
Official resources
-
CVE-2026-46609 CVE record
CVE.org
-
CVE-2026-46609 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-46609 was published on 2026-06-10T17:16:37.123Z and modified on 2026-06-12T19:34:47.973Z.