CVE-2025-24012: XSS/HTML Injection Vulnerability in Umbraco Backoffice Components

January 21, 2025 (updated February 20, 2025)

Authenticated users are able to exploit an XSS vulnerability when viewing certain localized backoffice components.

References

github.com/advisories/GHSA-wv8v-rmw2-25wc
github.com/umbraco/Umbraco-CMS
github.com/umbraco/Umbraco-CMS/commit/d4f8754f933895b3a329296e25ddea6f84a0aea2
github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-wv8v-rmw2-25wc
nvd.nist.gov/vuln/detail/CVE-2025-24012

Code Behaviors & Features

Detect and mitigate CVE-2025-24012 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →