DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-31833: CVE-2026-31833: Stored XSS in Umbraco CMS UFM Rendering Pipeline via Permissive DOMPurify Configuration

#security #cve #cybersecurity

CVE-2026-31833: Stored XSS in Umbraco CMS UFM Rendering Pipeline via Permissive DOMPurify Configuration

Vulnerability ID: CVE-2026-31833
CVSS Score: 6.7
Published: 2026-03-11

Umbraco CMS versions 16.2.0 to 16.5.0 and 17.0.0 to 17.2.1 contain a stored Cross-Site Scripting (XSS) vulnerability in the Umbraco Flavored Markdown (UFM) rendering engine. An overly permissive DOMPurify configuration allows authenticated users with Settings access to inject arbitrary JavaScript event handlers into custom web components, leading to execution in the context of other backoffice users.

TL;DR

A misconfigured DOMPurify instance in Umbraco CMS UFM rendering allows authenticated backoffice users to inject persistent XSS payloads via custom element event handlers. This is patched in versions 16.5.1 and 17.2.2 by restricting attribute names starting with 'on'.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-79 (Stored XSS)
  • Attack Vector: Network
  • CVSS Base Score: 6.7
  • EPSS Score: 0.00043 (0.04%)
  • Impact: High Confidentiality & Integrity
  • Exploit Maturity: Proof-of-Concept
  • KEV Status: Not Listed

Affected Systems

  • Umbraco-CMS
  • Umbraco-CMS: 16.2.0 to < 16.5.1 (Fixed in: 16.5.1)
  • Umbraco-CMS: 17.0.0 to < 17.2.2 (Fixed in: 17.2.2)

Code Analysis

Commit: 2624b25

Fix permissive DOMPurify attribute filtering in UFM context

Exploit Details

  • GitHub Commit (Unit Tests): PoC payloads included within the test suites confirming the bypass for 'onclick', 'onload', and 'onmouseover' attributes.

Mitigation Strategies

  • Upgrade Umbraco CMS to the latest patched versions (16.5.1 or 17.2.2)
  • Audit and enforce least privilege for users with access to the 'Settings' section
  • Monitor database updates to Document Type properties for suspicious HTML attributes

Remediation Steps:

  1. Review current Umbraco CMS deployment version
  2. Test the applicable upgrade (16.5.1 or 17.2.2) in a staging environment
  3. Apply the patch to the production environment
  4. Audit existing Document Type descriptions for unauthorized XSS payloads

References

Read the full report for CVE-2026-31833 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)