Jason Elkin critiques CVE-2025-67288, arguing it misrepresents Umbraco's security regarding PDF uploads with embedded JavaScript. He asserts that Umbraco does not process such files for remote code execution or XSS vulnerabilities. Elkin proposes implementing an IFileStreamSecurityAnalyzer to enhance file safety checks, mitigating potential risks effectively.
Debasish Gracias discusses implementing a Content Security Policy (CSP) for Umbraco v17, focusing on allowing editors to embed JavaScript securely. He outlines a method to automatically inject CSP nonces into editor-supplied script tags, ensuring compliance with strict CSP settings while maintaining flexibility for content creators.
Keyur Garala outlines critical Umbraco security vulnerabilities for 2026, emphasizing the importance of regular updates, strong authentication, and proper user permissions. He highlights risks from outdated software, insecure plugins, and misconfigured environments. To safeguard against cyber threats, Garala advocates for consistent security practices and partnering with Arroact for professional support.
Umbraco versions 13.0.0 to 13.12.0 are vulnerable due to an issue with .udt file uploads, allowing potential file system enumeration and NLTM hash retrieval. A patch is available for Umbraco 13.12.1, and Umbraco Cloud sites are automatically updated. Thanks to Tomasz Holeksa for reporting the vulnerability.
Jason Elkin discusses a recent Denial of Service incident affecting an Umbraco site due to bot-generated form submissions. The excessive logging and errors from these submissions degraded performance. Implementing a Cloudflare WAF rule to limit POST requests effectively blocked 3 million malicious requests, ensuring site stability for legitimate users.
Umbraco upgrades have evolved significantly, transitioning from challenging migrations to smoother processes, especially from version 10 onwards. Bump Digital emphasizes the importance of proactive planning, client communication, and leveraging modern .NET features to enhance performance and security. Upgrades are now more manageable, with predictable release schedules and improved documentation for breaking changes.
Andy Butland reports that moderate and low security vulnerabilities in Smidge, an upstream dependency for Umbraco 13.0.0 - 13.10.1, have been addressed with patches. Users are advised to upgrade to the latest version, while Umbraco Cloud projects will receive automatic updates. Further details are available in the release notes.
Umbraco HQ hosts a panel discussion with experts Emma Burstow, Chris Osterhout, and Zoja Antuchevič on open source software security. They address misconceptions, stressing community involvement, transparency, and effective implementation. The discussion emphasizes the importance of education in procurement, a collaborative approach to risk management, and balancing developer freedom with security measures.
Content Security Policy utilities for Umbraco CMS applications.
Umbraco versions 13.0.0 to 16.1.0 are affected by a vulnerability in the Content Delivery API, allowing unauthorized access to cached content without a valid API key. Patches are available for the latest minor versions, and Umbraco Cloud sites will be automatically updated. Users are advised to upgrade to supported versions for security.
Zoja Antuchevič discusses Lithuania's proactive approach to cybersecurity, emphasizing its national priority and community involvement. The country has developed a robust framework integrating government, private sector, and international partnerships, establishing itself as a model for Europe. Lithuania's collaborative efforts enhance regional resilience against evolving cyber threats, showcasing the importance of shared responsibility.
In his workshop held on June 17, 2025, Steven Harland introduced developers to web security testing using Burp Suite, emphasizing the importance of security knowledge for application developers. Participants engaged in hands-on exercises with a vulnerable Umbraco application, enhancing their skills in identifying and mitigating security vulnerabilities.
Umbraco versions 13.0.0 - 13.9.1 and 10.0.0 - 10.8.10 are affected by a vulnerability that exposes password complexity details through an anonymous API endpoint. Patches are available for the latest minor versions, and Umbraco Cloud sites will receive automatic updates. Users are encouraged to upgrade to supported versions.
A flexible middleware component that provides IP whitelisting, URL pattern matching, and query string authentication for protecting areas of your Umbraco website.
Umbraco CMS 15 has a moderate security vulnerability allowing unauthorized file uploads by bypassing configured extensions. Patches for affected versions (15.0.0 - 15.4.1) are now available, with automatic updates for Umbraco Cloud. João Mendes from Devoteam Cyber Trust reported the issue, which has not been exploited prior to this disclosure.
Umbraco's Community Security and Privacy Team developed the Auth Policy Browser, a dashboard tool to help developers identify broken access controls in their applications. This tool highlights controller actions and API methods, focusing on authorization policies. It aims to prevent unauthorized access by ensuring proper use of [Authorize] and [AllowAnonymous] attributes.
Umbraco versions 10.0.0 - 10.8.9 and 13.0.0 - 13.8.0 are vulnerable to a user enumeration issue. Users are advised to upgrade to the latest minor versions (10.8.10, 13.5.3) to apply patches. Umbraco Cloud sites will receive automatic updates. Credit is given to Arne Hildrum, Kristian Eriksen, and Erik Hansen-Tangen Breien for reporting the vulnerability.
The Encryption Property Editor allows you to securely encrypt data entered in the Umbraco backoffice
The severity of the vulnerability previously announced has been re-evaluated and upgraded from moderate to high. The patch released on April 8, 2025, still fully resolves the issue.