CVE-2026-46616

MEDIUM EPSS 7.7%
Published Jun 10, 20262w ago · Modified Jun 17, 20261w ago
6.1 CVSS 3.1
Medium
Find Similar
Published Jun 10, 2026 2w ago
Last Modified Jun 17, 2026 1w ago

Description

Umbraco is an ASP.NET CMS. Prior to versions 13.14.0 and 17.4.0, some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks. This issue has been patched in versions 13.14.0 and 17.4.0.

CVSS Details

Base Score
6.1
Exploitability
2.8
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
7.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-601

Affected Products 2

VendorProductVersionRange
umbracoumbraco_cms* <13.14.0
umbracoumbraco_cms*≥14.0.0  –  <17.4.0

References 3

  • github.com https://github.com/umbraco/Umbraco-CMS/pull/22561
    Issue TrackingPatch
  • github.com https://github.com/umbraco/Umbraco-CMS/pull/22565
    Issue TrackingPatch
  • github.com https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-2qjj-h6wp-c7h7
    MitigationVendor Advisory

Remediation

  • github.com https://github.com/umbraco/Umbraco-CMS/pull/22561
    Issue TrackingPatch
  • github.com https://github.com/umbraco/Umbraco-CMS/pull/22565
    Issue TrackingPatch