CVE-2025-32017 HIGH

CVE-2025-32017: Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users

Vendor Umbraco

Product Umbraco-CMS

Weakness CWE-23

Published April 8, 2025

Last update April 9, 2025

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Umbraco is a free and open source .NET content management system. Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location. The issue affects Umbraco 14+ and is patched in 14.3.4 and 15.3.1.

Key dates

02Disclosure timeline

April 8, 2025 CVE published

April 9, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-32017

Related vulnerabilities

Identifiers

CVE CVE-2025-32017

CWE CWE-23

CVSS 8.8 / HIGH

Affected versions

Vendor Umbraco

Product Umbraco-CMS

Affected >= 14.0.0--preview004, < 14.3.4

Vendor Umbraco

Product Umbraco-CMS

Affected >= 15.0.0-rc1, < 15.3.1

CVE-2025-32017: Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users

01Description

02Disclosure timeline

03References

04Related CVE