CVE-2025-67288
Last modified
CVE-2025-67288 is a critical-severity vulnerability rated 10/10 on the CVSS scale. An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system administrator who is implementing Umbraco CMS in their environment, not to Umbraco CMS itself, a related issue to CVE-2023-49279.. EPSS estimates a 0.50% chance of exploitation in the next 30 days.
Description
An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system administrator who is implementing Umbraco CMS in their environment, not to Umbraco CMS itself, a related issue to CVE-2023-49279.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Umbraco | Umbraco Cms | 16.3.3 |
References
- http://umbraco.comProduct
- https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67288Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2025-67288?
How severe is CVE-2025-67288?
How do I fix CVE-2025-67288?
Are you affected by CVE-2025-67288?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST