Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:nuget/Umbraco.CMS@10.7.0
purl pkg:nuget/Umbraco.CMS@10.7.0
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-azpt-qmk7-1ueu Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted. CVE-2023-49279
GHSA-6xmx-85x3-4cv2
VCID-wtw6-zcw6-2yd2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0, and 12.1.0 contain a patch for this issue. CVE-2023-38694
GHSA-xxc6-35r7-796w

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-02T04:46:36.064764+00:00 GitLab Importer Fixing VCID-wtw6-zcw6-2yd2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/Umbraco.CMS/CVE-2023-38694.yml 38.6.0
2026-06-02T04:46:34.907529+00:00 GitLab Importer Fixing VCID-azpt-qmk7-1ueu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/Umbraco.CMS/CVE-2023-49279.yml 38.6.0