CVE-2025-67288CRITICAL 10.0EPSS p39.1%

CVE-2025-67288CVE-2025-67288

Description

An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system administrator who is implementing Umbraco CMS in their environment, not to Umbraco CMS itself, a related issue to CVE-2023-49279.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.50% probability of exploitation · percentile 39.1% · 2026-06-19T12:03:05Z
Published2025-12-22
Last modified2026-01-08

Underlying weaknesses· 1

CWE-434

References

  1. http://umbraco.com
  2. https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67288

1

TypeTargetConfidenceTier
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-32017
CVE
CVE-2025-29287
CVE
CVE-2025-22389
CVE
CVE-2025-25361
CVE
CVE-2025-67164
CVE
CVE-2025-54757
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.