Title: Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads
CVE ID: CVE-2025-48953
CVSSv3.1 Base Score: 5.5 (AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L)
Vendor: Umbraco
Products: Umbraco CMS
Advisory Release Date: 3 June 2025
Advisory URL: https://labs.integrity.pt/advisories/cve-2025-48953
Credits: Discovery by João Mendes joao.pedro.mendes@devoteam.com
Umbraco is an ASP.NET content management system (CMS). Starting in version 14.0.0 and prior to versions 15.4.2 and 16.0.0, it’s possible to upload a file that doesn’t adhere with the configured allowable file extensions via a manipulated API request.
© 2025 INTEGRITY S.A. All rights reserved. | Cookie Policy