Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:nuget/Umbraco.CMS@8.0.0
purl pkg:nuget/Umbraco.CMS@8.0.0
Next non-vulnerable version 8.18.9
Latest non-vulnerable version 17.2.2
Risk
Vulnerabilities affecting this package (7)
Vulnerability Summary Fixed by
VCID-1rkh-7s4e-vyen
Aliases:
CVE-2023-49089
GHSA-6324-52pr-h4p5
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0, Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location. Versions 8.18.10, 10.8.1, and 12.3.0 contain a patch for this issue.
8.18.10
Affected by 0 other vulnerabilities.
10.8.1
Affected by 0 other vulnerabilities.
12.3.4
Affected by 0 other vulnerabilities.
VCID-6hye-45tx-auc9
Aliases:
CVE-2023-49273
GHSA-cfr5-7p54-4qg8
Incorrect Authorization Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges (Editor, etc.) are able to access some unintended endpoints. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.
8.18.10
Affected by 0 other vulnerabilities.
10.8.1
Affected by 0 other vulnerabilities.
12.3.4
Affected by 0 other vulnerabilities.
VCID-azpt-qmk7-1ueu
Aliases:
CVE-2023-49279
GHSA-6xmx-85x3-4cv2
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted.
8.18.9
Affected by 0 other vulnerabilities.
10.7.0
Affected by 0 other vulnerabilities.
11.5.0
Affected by 0 other vulnerabilities.
12.2.0
Affected by 0 other vulnerabilities.
VCID-ehsc-c1uh-tua1
Aliases:
CVE-2023-49278
GHSA-7x74-h8cw-qhxq
Exposure of Sensitive Information to an Unauthorized Actor Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a brute force exploit can be used to collect valid usernames. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.
8.18.10
Affected by 0 other vulnerabilities.
10.8.1
Affected by 0 other vulnerabilities.
12.3.4
Affected by 0 other vulnerabilities.
VCID-s3pr-pezb-4qf4
Aliases:
CVE-2023-48227
GHSA-335x-5wcm-8jv2
Incorrect Authorization Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are available.
8.18.10
Affected by 0 other vulnerabilities.
10.8.0
Affected by 0 other vulnerabilities.
12.3.0
Affected by 0 other vulnerabilities.
VCID-wtw6-zcw6-2yd2
Aliases:
CVE-2023-38694
GHSA-xxc6-35r7-796w
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0, and 12.1.0 contain a patch for this issue.
8.18.10
Affected by 0 other vulnerabilities.
10.7.0
Affected by 0 other vulnerabilities.
12.1.0
Affected by 0 other vulnerabilities.
VCID-xu9a-vwjv-5ycb
Aliases:
CVE-2023-49274
GHSA-8qp8-9rpw-j46c
Exposure of Sensitive Information to an Unauthorized Actor Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a user enumeration attack is possible when SMTP is not set up correctly, but reset password is enabled. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.
8.18.10
Affected by 0 other vulnerabilities.
10.8.1
Affected by 0 other vulnerabilities.
12.3.4
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-02T04:46:37.136184+00:00 GitLab Importer Affected by VCID-6hye-45tx-auc9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/Umbraco.CMS/CVE-2023-49273.yml 38.6.0
2026-06-02T04:46:36.752158+00:00 GitLab Importer Affected by VCID-1rkh-7s4e-vyen https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/Umbraco.CMS/CVE-2023-49089.yml 38.6.0
2026-06-02T04:46:36.097629+00:00 GitLab Importer Affected by VCID-ehsc-c1uh-tua1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/Umbraco.CMS/CVE-2023-49278.yml 38.6.0
2026-06-02T04:46:36.035368+00:00 GitLab Importer Affected by VCID-wtw6-zcw6-2yd2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/Umbraco.CMS/CVE-2023-38694.yml 38.6.0
2026-06-02T04:46:35.476456+00:00 GitLab Importer Affected by VCID-xu9a-vwjv-5ycb https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/Umbraco.CMS/CVE-2023-49274.yml 38.6.0
2026-06-02T04:46:35.339604+00:00 GitLab Importer Affected by VCID-s3pr-pezb-4qf4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/Umbraco.CMS/CVE-2023-48227.yml 38.6.0
2026-06-02T04:46:34.826109+00:00 GitLab Importer Affected by VCID-azpt-qmk7-1ueu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/Umbraco.CMS/CVE-2023-49279.yml 38.6.0