CVE-2025-27601: 
C# vulnerability analysis and mitigation

Umbraco, a free and open source .NET content management system, disclosed a vulnerability (CVE-2025-27601) on March 11, 2025. The vulnerability affects Umbraco's API management package prior to versions 15.2.3 and 14.3.3. The issue involves an improper API access control that allows authenticated users with low privileges to create and update data type information that should be restricted to users with access to the settings section (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability requires network access, has low attack complexity, requires low privileges, needs no user interaction, has unchanged scope, and results in low impact on integrity with no impact on confidentiality or availability (GitHub Advisory).

The vulnerability allows authenticated users with low privileges to perform unauthorized operations on data type information that should be restricted to users with settings section access. This results in a low impact on the integrity of the system, while maintaining no impact on confidentiality or availability (GitHub Advisory).

The issue has been patched in Umbraco versions 15.2.3 and 14.3.3. Users are advised to upgrade to these versions or later. No known workarounds are available for this vulnerability (GitHub Advisory).