CVE-2025-67288

An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system administrator who is implementing Umbraco CMS in their environment, not to Umbraco CMS itself, a related issue to CVE-2023-49279.

We have discovered 877 live websites that are affected by CVE-2025-67288.

Run a Free Instant Scan



Affected Software

Product  Umbraco
Category Content Management System
Vulnerable Domains877 live websites (100% of Umbraco install base)
Vulnerable Versions
  • from 0 through 16.3.3
Vulnerable Versions Count5 versions ( 100% of all versions)



Details

  • Published - Dec 22, 2025
  • Updated - Jan 8, 2026

Website Distribution by Country

Number of websites using CVE-2025-67288
United States322 websites


Denmark95 websites
GB78 websites
Canada56 websites
Australia44 websites
Netherlands31 websites
Italy28 websites
Sweden27 websites
France20 websites
Croatia18 websites

Website Distribution by TLD

Number of websites using CVE-2025-67288
.com367 websites
.dk82 websites
.com.au64 websites
.ca42 websites
.co.uk42 websites
.nl27 websites
.it23 websites
.se22 websites
.org19 websites
.net13 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2025-67288

Top websites that are affected by CVE-2025-67288. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
********.com United States**,***
****************.org United States***,***
*********.***.uk GB***,***
*************.***.au Australia***,***
********.***.hk Hong Kong***,***
**********.com United States***,***
*****************.com United States***,***
***.***.uk GB***,***
*************.net United States***,***
******************.com United States***,***
See full domain list

FAQ

A total of 877 websites have been identified as vulnerable to CVE-2025-67288, based on global website indexing conducted by WebTechSurvey.
The Umbraco is affected by the CVE-2025-67288 vulnerability.
Umbraco versions up to and including 16.3.3 are vulnerable to CVE-2025-67288.