CVE-2026-31833 is a cross-site scripting vulnerability affecting Umbraco CMS, an ASP.NET-based content management system. The flaw exists in versions from 16.2.0 up to but not including 16.5.1, and from 17.0.0 up to but not including 17.2.2. The vulnerability arises because the UFM DOMPurify instance used to sanitize HTML input in property type descriptions has an overly permissive attributeNameCheck regex (/.+/), which fails to block event handler attributes such as onclick and onload. These event handlers can be embedded within Umbraco’s custom web components (umb-*, uui-*, ufm-*), allowing an authenticated backoffice user with access to the Settings section to inject malicious scripts. When other users access pages rendering these property descriptions, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions. The vulnerability requires authenticated access with elevated privileges but does not require victim user interaction to trigger the malicious script once injected. The CVSS v3.1 base score is 6.7, reflecting medium severity with high impact on confidentiality and integrity, low impact on availability, network attack vector, low attack complexity, and no user interaction needed. The issue has been addressed in Umbraco CMS versions 16.5.1 and 17.2.2 by tightening the attribute filtering in DOMPurify to exclude event handler attributes. No public exploits have been reported, but the vulnerability poses a risk in environments where multiple users access the CMS backoffice or rendered content.

This vulnerability can lead to significant security risks for organizations using affected versions of Umbraco CMS. An attacker with authenticated backoffice access can inject malicious scripts that execute in the browsers of other users viewing the affected content, potentially stealing session tokens, performing unauthorized actions, or spreading malware. This compromises confidentiality and integrity of the CMS environment and any connected systems. Organizations relying on Umbraco for public-facing websites or internal portals risk reputational damage, data breaches, and unauthorized access. The requirement for authenticated access limits exposure but insider threats or compromised credentials can enable exploitation. The vulnerability could also facilitate lateral movement within an organization’s network if leveraged in combination with other vulnerabilities or social engineering. Given Umbraco’s popularity in Europe and other regions, the impact is notable for enterprises, government agencies, and service providers using this CMS.

Organizations should immediately upgrade affected Umbraco CMS instances to versions 16.5.1 or 17.2.2 or later, where the vulnerability is fixed. Until upgrades are possible, restrict backoffice access strictly to trusted users and enforce strong authentication and authorization controls to minimize risk of credential compromise. Review and audit property type descriptions and other content fields for suspicious or unexpected HTML or script injections. Implement additional web application firewall (WAF) rules to detect and block attempts to inject event handler attributes or suspicious HTML in requests to the CMS. Monitor logs for unusual backoffice activity or content changes. Educate administrators on the risks of injecting untrusted content and the importance of least privilege. Consider isolating the CMS environment and limiting network access to reduce potential lateral movement. Regularly apply security patches and monitor Umbraco security advisories for updates.