Redirect URL Validation Flaw in Umbraco CMS Affects User Safety
CVE-2026-46616

5.4MEDIUM

Key Information:

Vendor

Umbraco

Vendor
CVE Published:
10 June 2026

What is CVE-2026-46616?

Umbraco CMS is an ASP.NET-based content management system that has a vulnerability in some of its Surface Controllers. This flaw arises from a failure to properly validate redirect URLs associated with member operations, which allows attackers to exploit user-controlled query parameters. This results in potential malicious redirect attacks. The vulnerability has been addressed in versions 13.14.0 and 17.4.0, where necessary measures have been implemented to enhance URL validation.

Affected Version(s)

Umbraco-CMS < 13.14.0 < 13.14.0

Umbraco-CMS >= 17.3.0-rc, < 17.4.0 < 17.3.0-rc, 17.4.0

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.