{"timestamp":"2025-12-22T18:59:14.508768Z","id":"CVE-2025-67288","options":[{"exploitation":"poc"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}

[{"vendor":"n/a","product":"n/a","versions":[{"version":"n/a","status":"affected"}]}]

An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system administrator who is implementing Umbraco CMS in their environment, not to Umbraco CMS itself. The supplier also believes that this CVE is a duplicate of CVE-2023-49279 because the CVEs only differ in the file type.

An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system administrator who is implementing Umbraco CMS in their environment, not to Umbraco CMS itself, a related issue to CVE-2023-49279.

An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system administrator who is implementing Umbraco CMS in their environment, not to Umbraco CMS itself.

An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system administrator who is implementing Umbraco CMS in their environment, not to Umbraco CMS itself. The supplier also believes that this CVE is a duplicate of CVE-2023-49279 because the CVEs only differ in the file type.

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

OR
          *cpe:2.3:a:umbraco:umbraco_cms:16.3.3:*:*:*:*:*:*:*

MITRE: http://umbraco.com Types: Product

MITRE: https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67288 Types: Third Party Advisory

disputed

An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file.

An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system administrator who is implementing Umbraco CMS in their environment, not to Umbraco CMS itself.

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-434

An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file.

http://umbraco.com

https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67288