XSS/HTML Injection Vulnerability in Umbraco Backoffice Components
Authenticated users are able to exploit an XSS vulnerability when viewing certain localized backoffice components.
Advisories for Npm/@Umbraco-Cms/Backoffice package
2025
2024
Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content.