CVE-2025-47280

LOW EPSS 14.8%

Published May 13, 20251y ago · Modified Jun 17, 20261w ago

2.3 CVSS 4.0

Low

Published May 13, 2025 1y ago

Last Modified Jun 17, 2026 1w ago

Description

Umbraco Forms is a form builder that integrates with the Umbraco content management system. Starting in the 7.x branch and prior to versions 13.4.2 and 15.1.2, the 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address, potentially bypassing spam and email client security systems. This issue affects all (supported) versions Umbraco Forms and is patched in 13.4.2 and 15.1.2. Unpatched or unsupported versions can workaround this issue by using the `Send email with template (Razor)` workflow instead or writing a custom workflow type. To avoid accidentally using the vulnerable workflow again, the `SendEmail` workflow type can be removed using a composer available in the GitHub Security Advisory for this vulnerability.

CVSS Details

Base Score

2.3

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction P

Scope X

Threat Intelligence

EPSS Exploit Probability

14.8% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-116

Affected Products 2

Vendor	Product	Version	Range
umbraco	umbraco_forms	*	≥7.0.0 – <13.4.2
umbraco	umbraco_forms	*	≥14.0.0 – <15.1.2

References 1

github.com https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-2qrj-g9hq-chph

ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.