Umbraco

How to get informed on security matters

Stay on top of Umbraco Security Advisories

Where we inform you about Security Advisories

When we have been made aware of a severe security issue and have found a fix, we provide you with timely and clear information (applies to medium, high, and critical severity):

  • Email: An email will go out linking to the Security Advisory heads-up blog post to all our subscribers on the dedicated Security mailing list. Follow link to sign up and ensure you get important security-related information directly in your inbox.
  • Blog post: A Security Advisory blog post on the Umbraco blog. This post will contain relevant details of the issue and which versions/products are affected. In case of heads-up information prior to release, the security advisory blog post will be published with information on release date and time, but limited information on the issue. This is to ensure that the vulnerability does not get exploited before you have the chance to upgrade.
  • GitHub: A dedicated Security Advisory will be published for the relevant project using GitHub's security advisory feature including links CVEs as well as fixes/PRs for our open-source projects. It is also possible to sign up for notifications on GitHub. You can them here:
  • Social media: We share security and heads-up information on @umbracoproject and .
  • All Umbraco Cloud projects automatically get security patches for Umbraco CMS, Deploy, and Forms on the day of release. Information will be shared on the Umbraco status page and in the Umbraco Cloud portal once the release is scheduled. 


Procedures for Low-, High-, and Critical-severity Security Issues

When we have security-related announcements, we announce them in the following ways depending on the severity of the issue (we use the Common Vulnerability Scoring System v3.1 to evaluate reported issues):

Low severity

Security issues that are evaluated as “low severity” will be addressed in an upcoming patch for supported versions of the affected product. Patches of this nature will be released when ready and it fits into the release schedule. There are instances where we will dismiss an issue  or only fix it for the latest minor version - essentially treated as any other reported bug.

Medium-severity

Security issues evaluated as “medium severity” or "moderate severity", will be addressed with a dedicated security patch as soon as possible. 

  • A security advisory will be published on GitHub alongside the patch, with information on the affected product(s), including versions, details of patch availability, and possible workarounds.
     
  • A link to the Security Advisory will be sent out via the Security mailing list, and communicated on X and Mastodon.

All sites on Umbraco Cloud, running a supported version, will receive automated patches for Umbraco CMS, Heartcore, Deploy, and Forms on the day of release.

High-severity

Security issues evaluated as “high severity”, will be addressed with a dedicated security patch as soon as possible. 

  • Before releasing the patch, and any information on workarounds, we provide a heads-up email to the Security mailing list, and via social media, with a link to the security advisory blog post. This usually happens 5 days before release. The heads-up information clearly states when you can expect the patch and additional details to be released. This is to allow all partners and users to plan for updating their sites.

  • On the day of release, all sites on Umbraco Cloud will receive automated patches for Umbraco CMS, Deploy, and Forms. The security advisory blog post will be updated with links to patch(s), the security advisory on GitHub, and any other relevant information. The updated security advisory blog post will be shared to the Security mailing list, and via social media.

Critical-severity

Security issues evaluated as “critical severity” will be handled in the same way as “high severity” described above. 

Depending on the nature of the issue, we will adjust communication (what/when information and details are shared), to facilitate the best circumstances for keeping Umbraco sites and users safe.

Previous Security Advisories 

If you want to know how our security advisories look and/or want to know which ones we've published in the past, see the History of Umbraco Security Advisories.