MEDIUM 4.6

GHSA-vr9v-27gg-qgx4

Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog

Details

### Impact Authenticated users are able to inject HTML vulnerability into an input field, which is rendered in the confirmation dialog without proper output encoding.

### Patches This issue has been patched in 17.4.0

Are you affected?

Enter the version of the package you're using.

Affected packages

NuGet / Umbraco.Cms

Introduced in: 14.0.0 Fixed in: 17.4.0

Fix dotnet add package Umbraco.Cms --version 17.4.0

References

https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-vr9v-27gg-qgx4 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-46609 [ADVISORY]
https://github.com/umbraco/Umbraco-CMS [PACKAGE]