CVE-2025-32017

Summary

Umbraco is a free and open source .NET content management system. Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location. The issue affects Umbraco 14+ and is patched in 14.3.4 and 15.3.1.

Affected Software

VendorProductVersion RangeStatus
umbracoUmbraco-CMS>= 14.0.0--preview004, < 14.3.4affected
umbracoUmbraco-CMS>= 15.0.0-rc1, < 15.3.1affected

Weaknesses

  • CWE-23: CWE-23: Relative Path Traversal

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References