CVE-2021-47776: Umbraco CMS contains a server-side request forgery vulnerability

January 15, 2026

Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent, and GetRemoteDashboardCss endpoints to trigger unauthorized server-side requests to external hosts.

References

github.com/advisories/GHSA-h66j-xm43-47pp
github.com/umbraco/Umbraco-CMS
nvd.nist.gov/vuln/detail/CVE-2021-47776
our.umbraco.com/
releases.umbraco.com/all-releases
www.exploit-db.com/exploits/50462

Code Behaviors & Features

Detect and mitigate CVE-2021-47776 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →