Umbraco is formally disputing CVE-2025-67288, a vulnerability report claiming its CMS allows remote code execution through PDF file uploads containing embedded JavaScript.
The CVE, which affects Umbraco v16.3.3 and potentially earlier versions, received attention for its critical severity rating. The proof of concept is straightforward: upload a crafted PDF with JavaScript, observe the script executing in the browser. But Umbraco's position is that this has nothing to do with the CMS itself.
Why Umbraco says it's not their problem
The distinction matters for CWE-434 classification, which requires dangerous file types to be "automatically processed within its environment." Umbraco argues the PDF isn't processed by the CMS at all. The JavaScript executes in the browser's PDF viewer, sandboxed and isolated from the web context. No fetch(), no document.cookies, just PDF-specific APIs like app.alert().
Chromium's security FAQ explicitly addresses this: executing JavaScript in a PDF doesn't constitute an XSS vulnerability. The browser handles it, not the web application serving the file. You could host the same PDF on GitHub Pages with identical results.
Forum discussions confirm Umbraco is seeking duplicate or invalid status for the CVE. As of early February 2026, no patches are planned because the vendor doesn't consider it a valid vulnerability.
Mitigation for the cautious
For organizations with strict security postures, Umbraco's IFileStreamSecurityAnalyzer interface provides a way to scan uploads. The implementation can inspect PDF file streams for JavaScript payloads and reject them before storage.
The approach mirrors existing patterns for SVG sanitization. Using libraries like FileSignatures for file type detection and PdfPig for content parsing, developers can implement custom validation logic that blocks PDFs containing suspicious keys like "JS", "JavaScript", or "OpenAction".
The social engineering angle remains: crafted PDFs could still be used for phishing, regardless of where they're hosted. That's a user awareness problem, not an Umbraco one.
What this really illustrates is the challenge of CVE quality control. A vulnerability report that conflates browser behavior with application vulnerabilities creates noise for security teams trying to prioritize actual risks. Umbraco's dispute process matters because misclassified CVEs have real operational costs: unnecessary patching cycles, vendor communication overhead, and alert fatigue.
The NVD now flags CVE-2025-67288 as disputed. For Umbraco users on v13 (currently in security maintenance phase) and v16, the recommendation is straightforward: monitor the dispute resolution, but don't panic. This one's a false alarm.