Description

Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent, and GetRemoteDashboardCss endpoints to trigger unauthorized server-side requests to external hosts.

Related CPE's

a

umbraco

umbraco_cms

8.14.1

Vulnerable

References

https://our.umbraco.com/

Product

https://releases.umbraco.com/all-releases

Release Notes

https://www.exploit-db.com/exploits/50462

ExploitVDB Entry

Weaknesses

[email protected]

Primary
CWE-918

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5.3 · Medium

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2026-01-15T16:16:09.510Z

1 month ago

Last modified

2026-01-23T18:06:44.670Z

3 weeks ago