CVE-2026-46616

5.4 MEDIUM
Published: June 10, 2026 Modified: June 12, 2026
View on NVD

Description

Umbraco is an ASP.NET CMS. Prior to versions 13.14.0 and 17.4.0, some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks. This issue has been patched in versions 13.14.0 and 17.4.0.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/umbraco/Umbraco-CMS/pull/22561
Source: security-advisories@github.com
Issue Tracking Patch
https://github.com/umbraco/Umbraco-CMS/pull/22565
Source: security-advisories@github.com
Issue Tracking Patch
https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-2qjj-h6wp-c7h7
Source: security-advisories@github.com
Mitigation Vendor Advisory

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
5.4 / 10.0
EPSS (Exploit Probability)
0.0%
9th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-601

Affected Vendors

umbraco

Related CVEs

CVE-2026-50100 7.8
CVE-2026-44188 5.3
CVE-2026-11860 N/A
CVE-2026-9278 N/A
CVE-2026-8935 N/A