CVE-2026-46609: Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog

May 21, 2026

Authenticated users are able to inject HTML vulnerability into an input field, which is rendered in the confirmation dialog without proper output encoding.

References

github.com/advisories/GHSA-vr9v-27gg-qgx4
github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-vr9v-27gg-qgx4
nvd.nist.gov/vuln/detail/CVE-2026-46609

Code Behaviors & Features

Detect and mitigate CVE-2026-46609 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →