The official profile for Umbraco - The Friendly OpenSource ASP.NET CMS. Managed by Umbraco HQ.
The severity of the vulnerability previously announced has been re-evaluated and upgraded from moderate to high. The patch released on April 8, 2025, still fully resolves the issue.
Umbraco has identified a security vulnerability affecting versions 14.0.0 - 14.3.3 and 15.0.0 - 15.3.0, allowing backoffice users to exploit API requests. Patches are now available, and Umbraco Cloud will automatically apply fixes. Users are advised to upgrade to the latest minor versions for optimal security.
Umbraco has released patches for versions 10.0.0 - 10.8.8 and 13.0.0 - 13.7.0, as well as 14.0.0 - 14.3.2 and 15.0.0 - 15.2.2, to address high-severity vulnerabilities related to the ImageSharp dependency. Users are advised to update to the latest minor versions for optimal security.
Umbraco versions 10.0.0-10.8.7, 13.0.0-13.5.2, and 14.0.0-15.1.1 have moderate-severity vulnerabilities, while Umbraco 8 and below are unaffected. Patches are available for the latest minor versions, and Umbraco Cloud sites will receive automatic updates. Vulnerabilities include XSS and user enumeration issues.
Umbraco versions 8.0.0 to 14.3.0 are affected by various medium-severity vulnerabilities, requiring users to upgrade to the latest minor versions for patches. Vulnerabilities include stored XSS and potential code execution risks, necessitating authenticated access for exploitation. Users are encouraged to enable automatic minor upgrades for enhanced security.