Search
Find a vulnerability
Search criteria
8 vulnerabilities found for Umbraco.Forms.Issues by umbraco
CVE-2026-24687 (GCVE-0-2026-24687)
Vulnerability from nvd – Published: 2026-01-29 19:57 – Updated: 2026-01-29 20:47
VLAI
Title
Umbraco.Forms has path traversal and file enumeration vulnerability in Linux/Mac
Summary
Umbraco Forms is a form builder that integrates with the Umbraco content management system. It's possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems filesystem and read their contents, on Mac/Linux Umbraco installations using Forms. As Umbraco Cloud runs in a Windows environment, Cloud users aren't affected. This issue affects versions 16 and 17 of Umbraco Forms and is patched in 16.4.1 and 17.1.1. If upgrading is not immediately possible, users can mitigate this vulnerability by configuring a WAF or reverse proxy to block requests containing path traversal sequences (`../`, `..\`) in the `fileName` parameter of the export endpoint, restricting network access to the Umbraco backoffice to trusted IP ranges, and/or blocking the `/umbraco/forms/api/v1/export` endpoint entirely if the export feature is not required. However, upgrading to the patched version is strongly recommended.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/umbraco/Umbraco.Forms.Issues/s… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| umbraco | Umbraco.Forms.Issues |
Affected:
>= 16.0.0, < 16.4.1
Affected: >= 17.0.0, < 17.1.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24687",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T20:39:36.519302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T20:47:23.180Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Umbraco.Forms.Issues",
"vendor": "umbraco",
"versions": [
{
"status": "affected",
"version": "\u003e= 16.0.0, \u003c 16.4.1"
},
{
"status": "affected",
"version": "\u003e= 17.0.0, \u003c 17.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Umbraco Forms is a form builder that integrates with the Umbraco content management system. It\u0027s possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems filesystem and read their contents, on Mac/Linux Umbraco installations using Forms. As Umbraco Cloud runs in a Windows environment, Cloud users aren\u0027t affected. This issue affects versions 16 and 17 of Umbraco Forms and is patched in 16.4.1 and 17.1.1. If upgrading is not immediately possible, users can mitigate this vulnerability by configuring a WAF or reverse proxy to block requests containing path traversal sequences (`../`, `..\\`) in the `fileName` parameter of the export endpoint, restricting network access to the Umbraco backoffice to trusted IP ranges, and/or blocking the `/umbraco/forms/api/v1/export` endpoint entirely if the export feature is not required. However, upgrading to the patched version is strongly recommended."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T19:57:24.484Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-hm5p-82g6-m3xh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-hm5p-82g6-m3xh"
}
],
"source": {
"advisory": "GHSA-hm5p-82g6-m3xh",
"discovery": "UNKNOWN"
},
"title": "Umbraco.Forms has path traversal and file enumeration vulnerability in Linux/Mac"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24687",
"datePublished": "2026-01-29T19:57:24.484Z",
"dateReserved": "2026-01-23T20:40:23.389Z",
"dateUpdated": "2026-01-29T20:47:23.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47280 (GCVE-0-2025-47280)
Vulnerability from nvd – Published: 2025-05-13 17:06 – Updated: 2025-05-13 17:36
VLAI
Title
Umbraco.Forms has HTML injection vulnerability in 'Send email' workflow
Summary
Umbraco Forms is a form builder that integrates with the Umbraco content management system. Starting in the 7.x branch and prior to versions 13.4.2 and 15.1.2, the 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address, potentially bypassing spam and email client security systems. This issue affects all (supported) versions Umbraco Forms and is patched in 13.4.2 and 15.1.2. Unpatched or unsupported versions can workaround this issue by using the `Send email with template (Razor)` workflow instead or writing a custom workflow type. To avoid accidentally using the vulnerable workflow again, the `SendEmail` workflow type can be removed using a composer available in the GitHub Security Advisory for this vulnerability.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/umbraco/Umbraco.Forms.Issues/s… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| umbraco | Umbraco.Forms.Issues |
Affected:
>= 7.0.0, < 13.4.2
Affected: >= 15.0.0, < 15.1.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T17:36:31.057513Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T17:36:37.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Umbraco.Forms.Issues",
"vendor": "umbraco",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 13.4.2"
},
{
"status": "affected",
"version": "\u003e= 15.0.0, \u003c 15.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Umbraco Forms is a form builder that integrates with the Umbraco content management system. Starting in the 7.x branch and prior to versions 13.4.2 and 15.1.2, the \u0027Send email\u0027 workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address, potentially bypassing spam and email client security systems. This issue affects all (supported) versions Umbraco Forms and is patched in 13.4.2 and 15.1.2. Unpatched or unsupported versions can workaround this issue by using the `Send email with template (Razor)` workflow instead or writing a custom workflow type. To avoid accidentally using the vulnerable workflow again, the `SendEmail` workflow type can be removed using a composer available in the GitHub Security Advisory for this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T17:06:56.715Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-2qrj-g9hq-chph",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-2qrj-g9hq-chph"
}
],
"source": {
"advisory": "GHSA-2qrj-g9hq-chph",
"discovery": "UNKNOWN"
},
"title": "Umbraco.Forms has HTML injection vulnerability in \u0027Send email\u0027 workflow"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47280",
"datePublished": "2025-05-13T17:06:56.715Z",
"dateReserved": "2025-05-05T16:53:10.373Z",
"dateUpdated": "2025-05-13T17:36:37.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23041 (GCVE-0-2025-23041)
Vulnerability from nvd – Published: 2025-01-14 18:54 – Updated: 2025-01-14 20:44
VLAI
Title
Short and Long Answer Fields Are Not Validated Server-Side For Maximum Length in Umbraco.Forms
Summary
Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are advised to upgrade. There are no known workarounds for this issue.
Severity
5.8 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/umbraco/Umbraco.Forms.Issues/s… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| umbraco | Umbraco.Forms.Issues |
Affected:
< 8.13.16
Affected: >= 10.0.0, < 10.5.7 Affected: >= 11.0.0, < 13.2.2 Affected: >= 14.0.0, < 14.1.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23041",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T20:43:43.541022Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T20:44:40.909Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Umbraco.Forms.Issues",
"vendor": "umbraco",
"versions": [
{
"status": "affected",
"version": "\u003c 8.13.16"
},
{
"status": "affected",
"version": "\u003e= 10.0.0, \u003c 10.5.7"
},
{
"status": "affected",
"version": "\u003e= 11.0.0, \u003c 13.2.2"
},
{
"status": "affected",
"version": "\u003e= 14.0.0, \u003c 14.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are advised to upgrade. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T18:54:45.430Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-9v8m-qv22-f268",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-9v8m-qv22-f268"
}
],
"source": {
"advisory": "GHSA-9v8m-qv22-f268",
"discovery": "UNKNOWN"
},
"title": "Short and Long Answer Fields Are Not Validated Server-Side For Maximum Length in Umbraco.Forms"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-23041",
"datePublished": "2025-01-14T18:54:45.430Z",
"dateReserved": "2025-01-10T15:11:08.883Z",
"dateUpdated": "2025-01-14T20:44:40.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35239 (GCVE-0-2024-35239)
Vulnerability from nvd – Published: 2024-05-28 20:15 – Updated: 2024-08-02 03:07
VLAI
Title
Stored Cross-site Scripting on Components of Umbraco Forms
Summary
Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13).
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/umbraco/Umbraco.Forms.Issues/s… | x_refsource_CONFIRM |
| https://docs.umbraco.com/umbraco-forms/developer/… | x_refsource_MISC |
| https://docs.umbraco.com/umbraco-forms/release-no… | x_refsource_MISC |
| https://docs.umbraco.com/umbraco-forms/v/10.forms… | x_refsource_MISC |
| https://docs.umbraco.com/umbraco-forms/v/12.forms… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| umbraco | Umbraco.Forms.Issues |
Affected:
>= 13.0.0, < 13.0.1
Affected: >= 12.0.0, < 12.2.2 Affected: >= 10.0.0, < 10.5.3 Affected: < 8.13.13 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35239",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-05T20:41:29.769321Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-05T20:42:39.260Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.872Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-p572-p2rj-q5f4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-p572-p2rj-q5f4"
},
{
"name": "https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values"
},
{
"name": "https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024"
},
{
"name": "https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes"
},
{
"name": "https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Umbraco.Forms.Issues",
"vendor": "umbraco",
"versions": [
{
"status": "affected",
"version": "\u003e= 13.0.0, \u003c 13.0.1"
},
{
"status": "affected",
"version": "\u003e= 12.0.0, \u003c 12.2.2"
},
{
"status": "affected",
"version": "\u003e= 10.0.0, \u003c 10.5.3"
},
{
"status": "affected",
"version": "\u003c 8.13.13 "
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-28T20:15:28.512Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-p572-p2rj-q5f4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-p572-p2rj-q5f4"
},
{
"name": "https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values"
},
{
"name": "https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024"
},
{
"name": "https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes"
},
{
"name": "https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024"
}
],
"source": {
"advisory": "GHSA-p572-p2rj-q5f4",
"discovery": "UNKNOWN"
},
"title": "Stored Cross-site Scripting on Components of Umbraco Forms"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35239",
"datePublished": "2024-05-28T20:15:28.512Z",
"dateReserved": "2024-05-14T15:39:41.786Z",
"dateUpdated": "2024-08-02T03:07:46.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-24687 (GCVE-0-2026-24687)
Vulnerability from cvelistv5 – Published: 2026-01-29 19:57 – Updated: 2026-01-29 20:47
VLAI
Title
Umbraco.Forms has path traversal and file enumeration vulnerability in Linux/Mac
Summary
Umbraco Forms is a form builder that integrates with the Umbraco content management system. It's possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems filesystem and read their contents, on Mac/Linux Umbraco installations using Forms. As Umbraco Cloud runs in a Windows environment, Cloud users aren't affected. This issue affects versions 16 and 17 of Umbraco Forms and is patched in 16.4.1 and 17.1.1. If upgrading is not immediately possible, users can mitigate this vulnerability by configuring a WAF or reverse proxy to block requests containing path traversal sequences (`../`, `..\`) in the `fileName` parameter of the export endpoint, restricting network access to the Umbraco backoffice to trusted IP ranges, and/or blocking the `/umbraco/forms/api/v1/export` endpoint entirely if the export feature is not required. However, upgrading to the patched version is strongly recommended.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/umbraco/Umbraco.Forms.Issues/s… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| umbraco | Umbraco.Forms.Issues |
Affected:
>= 16.0.0, < 16.4.1
Affected: >= 17.0.0, < 17.1.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24687",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T20:39:36.519302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T20:47:23.180Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Umbraco.Forms.Issues",
"vendor": "umbraco",
"versions": [
{
"status": "affected",
"version": "\u003e= 16.0.0, \u003c 16.4.1"
},
{
"status": "affected",
"version": "\u003e= 17.0.0, \u003c 17.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Umbraco Forms is a form builder that integrates with the Umbraco content management system. It\u0027s possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems filesystem and read their contents, on Mac/Linux Umbraco installations using Forms. As Umbraco Cloud runs in a Windows environment, Cloud users aren\u0027t affected. This issue affects versions 16 and 17 of Umbraco Forms and is patched in 16.4.1 and 17.1.1. If upgrading is not immediately possible, users can mitigate this vulnerability by configuring a WAF or reverse proxy to block requests containing path traversal sequences (`../`, `..\\`) in the `fileName` parameter of the export endpoint, restricting network access to the Umbraco backoffice to trusted IP ranges, and/or blocking the `/umbraco/forms/api/v1/export` endpoint entirely if the export feature is not required. However, upgrading to the patched version is strongly recommended."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T19:57:24.484Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-hm5p-82g6-m3xh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-hm5p-82g6-m3xh"
}
],
"source": {
"advisory": "GHSA-hm5p-82g6-m3xh",
"discovery": "UNKNOWN"
},
"title": "Umbraco.Forms has path traversal and file enumeration vulnerability in Linux/Mac"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24687",
"datePublished": "2026-01-29T19:57:24.484Z",
"dateReserved": "2026-01-23T20:40:23.389Z",
"dateUpdated": "2026-01-29T20:47:23.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47280 (GCVE-0-2025-47280)
Vulnerability from cvelistv5 – Published: 2025-05-13 17:06 – Updated: 2025-05-13 17:36
VLAI
Title
Umbraco.Forms has HTML injection vulnerability in 'Send email' workflow
Summary
Umbraco Forms is a form builder that integrates with the Umbraco content management system. Starting in the 7.x branch and prior to versions 13.4.2 and 15.1.2, the 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address, potentially bypassing spam and email client security systems. This issue affects all (supported) versions Umbraco Forms and is patched in 13.4.2 and 15.1.2. Unpatched or unsupported versions can workaround this issue by using the `Send email with template (Razor)` workflow instead or writing a custom workflow type. To avoid accidentally using the vulnerable workflow again, the `SendEmail` workflow type can be removed using a composer available in the GitHub Security Advisory for this vulnerability.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/umbraco/Umbraco.Forms.Issues/s… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| umbraco | Umbraco.Forms.Issues |
Affected:
>= 7.0.0, < 13.4.2
Affected: >= 15.0.0, < 15.1.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T17:36:31.057513Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T17:36:37.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Umbraco.Forms.Issues",
"vendor": "umbraco",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 13.4.2"
},
{
"status": "affected",
"version": "\u003e= 15.0.0, \u003c 15.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Umbraco Forms is a form builder that integrates with the Umbraco content management system. Starting in the 7.x branch and prior to versions 13.4.2 and 15.1.2, the \u0027Send email\u0027 workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address, potentially bypassing spam and email client security systems. This issue affects all (supported) versions Umbraco Forms and is patched in 13.4.2 and 15.1.2. Unpatched or unsupported versions can workaround this issue by using the `Send email with template (Razor)` workflow instead or writing a custom workflow type. To avoid accidentally using the vulnerable workflow again, the `SendEmail` workflow type can be removed using a composer available in the GitHub Security Advisory for this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T17:06:56.715Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-2qrj-g9hq-chph",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-2qrj-g9hq-chph"
}
],
"source": {
"advisory": "GHSA-2qrj-g9hq-chph",
"discovery": "UNKNOWN"
},
"title": "Umbraco.Forms has HTML injection vulnerability in \u0027Send email\u0027 workflow"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47280",
"datePublished": "2025-05-13T17:06:56.715Z",
"dateReserved": "2025-05-05T16:53:10.373Z",
"dateUpdated": "2025-05-13T17:36:37.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23041 (GCVE-0-2025-23041)
Vulnerability from cvelistv5 – Published: 2025-01-14 18:54 – Updated: 2025-01-14 20:44
VLAI
Title
Short and Long Answer Fields Are Not Validated Server-Side For Maximum Length in Umbraco.Forms
Summary
Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are advised to upgrade. There are no known workarounds for this issue.
Severity
5.8 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/umbraco/Umbraco.Forms.Issues/s… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| umbraco | Umbraco.Forms.Issues |
Affected:
< 8.13.16
Affected: >= 10.0.0, < 10.5.7 Affected: >= 11.0.0, < 13.2.2 Affected: >= 14.0.0, < 14.1.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23041",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T20:43:43.541022Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T20:44:40.909Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Umbraco.Forms.Issues",
"vendor": "umbraco",
"versions": [
{
"status": "affected",
"version": "\u003c 8.13.16"
},
{
"status": "affected",
"version": "\u003e= 10.0.0, \u003c 10.5.7"
},
{
"status": "affected",
"version": "\u003e= 11.0.0, \u003c 13.2.2"
},
{
"status": "affected",
"version": "\u003e= 14.0.0, \u003c 14.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are advised to upgrade. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T18:54:45.430Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-9v8m-qv22-f268",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-9v8m-qv22-f268"
}
],
"source": {
"advisory": "GHSA-9v8m-qv22-f268",
"discovery": "UNKNOWN"
},
"title": "Short and Long Answer Fields Are Not Validated Server-Side For Maximum Length in Umbraco.Forms"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-23041",
"datePublished": "2025-01-14T18:54:45.430Z",
"dateReserved": "2025-01-10T15:11:08.883Z",
"dateUpdated": "2025-01-14T20:44:40.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35239 (GCVE-0-2024-35239)
Vulnerability from cvelistv5 – Published: 2024-05-28 20:15 – Updated: 2024-08-02 03:07
VLAI
Title
Stored Cross-site Scripting on Components of Umbraco Forms
Summary
Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13).
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/umbraco/Umbraco.Forms.Issues/s… | x_refsource_CONFIRM |
| https://docs.umbraco.com/umbraco-forms/developer/… | x_refsource_MISC |
| https://docs.umbraco.com/umbraco-forms/release-no… | x_refsource_MISC |
| https://docs.umbraco.com/umbraco-forms/v/10.forms… | x_refsource_MISC |
| https://docs.umbraco.com/umbraco-forms/v/12.forms… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| umbraco | Umbraco.Forms.Issues |
Affected:
>= 13.0.0, < 13.0.1
Affected: >= 12.0.0, < 12.2.2 Affected: >= 10.0.0, < 10.5.3 Affected: < 8.13.13 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35239",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-05T20:41:29.769321Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-05T20:42:39.260Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.872Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-p572-p2rj-q5f4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-p572-p2rj-q5f4"
},
{
"name": "https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values"
},
{
"name": "https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024"
},
{
"name": "https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes"
},
{
"name": "https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Umbraco.Forms.Issues",
"vendor": "umbraco",
"versions": [
{
"status": "affected",
"version": "\u003e= 13.0.0, \u003c 13.0.1"
},
{
"status": "affected",
"version": "\u003e= 12.0.0, \u003c 12.2.2"
},
{
"status": "affected",
"version": "\u003e= 10.0.0, \u003c 10.5.3"
},
{
"status": "affected",
"version": "\u003c 8.13.13 "
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-28T20:15:28.512Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-p572-p2rj-q5f4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-p572-p2rj-q5f4"
},
{
"name": "https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values"
},
{
"name": "https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024"
},
{
"name": "https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes"
},
{
"name": "https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024"
}
],
"source": {
"advisory": "GHSA-p572-p2rj-q5f4",
"discovery": "UNKNOWN"
},
"title": "Stored Cross-site Scripting on Components of Umbraco Forms"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35239",
"datePublished": "2024-05-28T20:15:28.512Z",
"dateReserved": "2024-05-14T15:39:41.786Z",
"dateUpdated": "2024-08-02T03:07:46.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}