Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
6.7

Umbraco allows hackers to inject malicious code in property type descriptions

CVE-2026-31833 GHSA-vrqc-59mw-qqg7
Summary

An attacker with access to the Umbraco backoffice can inject malicious code into property type descriptions, which can affect other users viewing those descriptions. This can happen when an attacker with permission to edit settings enters malicious HTML into a property type description. To fix this, upgrade to Umbraco version 16.5.1 or 17.2.2.

What to do
  • Update umbraco.cms to version 16.5.1.
  • Update umbraco.cms to version 17.2.2.
Affected software
VendorProductAffected versionsFix available
umbraco.cms > 16.2.0 , <= 16.5.1 16.5.1
umbraco.cms > 17.0.0 , <= 17.2.1 17.2.2
Original title
Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering
Original description
### Description
An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive `attributeNameCheck` configuration (/.+/) in the UFM DOMPurify instance, event handler attributes such as onclick and onload, when used within Umbraco web components (`umb-*`, `uui-*`, `ufm-*`) were not filtered.

### Impact
As property type descriptions support Markdown/HTML via the UFM rendering pipeline, injected event handlers are rendered in the backoffice interface, resulting in a stored XSS affecting other backoffice users.

### Patches
The issue is patched in 16.5.1 and 17.2.2.

### Workarounds
There is no workaround other than upgrading.

### References
https://docs.umbraco.com/umbraco-cms/reference/umbraco-flavored-markdown
nvd CVSS3.1 6.7
Vulnerability type
CWE-79 Cross-site Scripting (XSS)
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026