Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-pgvc-6h2p-q4f6: Umbraco CMS disclosure of configured password requirements

Impact

Via a request to an anonymously authenticated endpoint it’s possible to retrieve information about the configured password requirements. The information available is limited but would perhaps give some additional detail useful for someone attempting to brute force derive a user’s password.

The vulnerability can be found in the supported Umbraco versions 10 and 13. It was not exposed in Umbraco 7 or 8, nor in 14 or higher versions.

Patches

Patched in 10.8.11 and 13.9.2

ghsa
Open in Source
#vulnerability#web#git#auth

Skip to content

Navigation Menu

    • GitHub Copilot

      Write better code with AI

    • GitHub Models New

      Manage and compare prompts

    • GitHub Advanced Security

      Find and fix vulnerabilities

    • Actions

      Automate any workflow

    • Codespaces

      Instant dev environments

*   Issues
    
    Plan and track work
    
*   Code Review
    
    Manage code changes
    
*   Discussions
    
    Collaborate outside of code
    
*   Code Search
    
    Find more, search less

  • Explore

    • Learning Pathways
    • Events & Webinars
    • Ebooks & Whitepapers
    • Customer Stories
    • Partners
    • Executive Insights

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles

    • Enterprise platform

      AI-powered developer platform

  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

Appearance settings

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-49147

Umbraco CMS disclosure of configured password requirements

Moderate severity GitHub Reviewed Published Jun 24, 2025 in umbraco/Umbraco-CMS • Updated Jun 24, 2025

Package

nuget Umbraco.Cms (NuGet)

Affected versions

>= 10.0.0, < 10.8.11

>= 13.0.0, < 13.9.2

Patched versions

10.8.11

13.9.2

Description

Impact

Via a request to an anonymously authenticated endpoint it’s possible to retrieve information about the configured password requirements. The information available is limited but would perhaps give some additional detail useful for someone attempting to brute force derive a user’s password.

The vulnerability can be found in the supported Umbraco versions 10 and 13. It was not exposed in Umbraco 7 or 8, nor in 14 or higher versions.

Patches

Patched in 10.8.11 and 13.9.2

References

  • GHSA-pgvc-6h2p-q4f6
  • https://nvd.nist.gov/vuln/detail/CVE-2025-49147
  • umbraco/Umbraco-CMS@b414456
  • umbraco/Umbraco-CMS@d8f68d2

Published to the GitHub Advisory Database

Jun 24, 2025

Last updated

Jun 24, 2025

EPSS score

ghsa: Latest News

GHSA-pgvc-6h2p-q4f6: Umbraco CMS disclosure of configured password requirements
ghsa