CVE-2021-47776 | THREATINT

Description

Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent, and GetRemoteDashboardCss endpoints to trigger unauthorized server-side requests to external hosts.

PUBLISHED Reserved 2026-01-14 | Published 2026-01-15 | Updated 2026-01-15 | Assigner VulnCheck

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

Server-Side Request Forgery (SSRF)

Product status

8.14.1

affected

Credits

NgoAnhDuc finder

References

www.exploit-db.com/exploits/50462 (ExploitDB-50462) exploit

our.umbraco.com/ (Umbraco Official Homepage) product

releases.umbraco.com/all-releases (Umbraco CMS Release Notes) product

cve.org (CVE-2021-47776)

nvd.nist.gov (CVE-2021-47776)

Download JSON