CVE-2026-31833: Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering

March 11, 2026

An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration (/.+/) in the UFM DOMPurify instance, event handler attributes such as onclick and onload, when used within Umbraco web components (umb-*, uui-*, ufm-*) were not filtered.

References

github.com/advisories/GHSA-vrqc-59mw-qqg7
github.com/umbraco/Umbraco-CMS
github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-vrqc-59mw-qqg7
nvd.nist.gov/vuln/detail/CVE-2026-31833

Code Behaviors & Features

Detect and mitigate CVE-2026-31833 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →