Skip to main content

Umbraco Forms

4 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-24687 NuGet MEDIUM PATCH This Month

Authenticated users in Umbraco Forms versions 16 and 17 can exploit a path traversal vulnerability to read arbitrary files on Mac and Linux systems running the CMS. An attacker with backoffice access can enumerate and access sensitive files through the export endpoint by manipulating the fileName parameter. No patch is currently available, though the vulnerability is mitigated by restricting backoffice access and blocking path traversal sequences at the WAF level.

Linux Path Traversal Umbraco Forms
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68924 NuGet HIGH This Week

Umbraco Forms versions up to 8.13.16 is affected by inclusion of functionality from untrusted control sphere (CVSS 7.5).

RCE Umbraco Forms
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-47280 NuGet LOW POC PATCH Monitor

Umbraco Forms is a form builder that integrates with the Umbraco content management system. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Umbraco Forms
NVD GitHub
CVSS 4.0
2.3
EPSS
0.3%
CVE-2025-23041 NuGet MEDIUM PATCH This Month

Umbraco.Forms is a web form framework written for the nuget ecosystem. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Umbraco Forms
NVD GitHub
CVSS 3.1
5.8
EPSS
0.2%
CVE-2026-24687 NuGet
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Authenticated users in Umbraco Forms versions 16 and 17 can exploit a path traversal vulnerability to read arbitrary files on Mac and Linux systems running the CMS. An attacker with backoffice access can enumerate and access sensitive files through the export endpoint by manipulating the fileName parameter. No patch is currently available, though the vulnerability is mitigated by restricting backoffice access and blocking path traversal sequences at the WAF level.

Linux Path Traversal Umbraco Forms
NVD GitHub
CVE-2025-68924 NuGet
EPSS 0% CVSS 7.5
HIGH This Week

Umbraco Forms versions up to 8.13.16 is affected by inclusion of functionality from untrusted control sphere (CVSS 7.5).

RCE Umbraco Forms
NVD GitHub
CVE-2025-47280 NuGet
EPSS 0% CVSS 2.3
LOW POC PATCH Monitor

Umbraco Forms is a form builder that integrates with the Umbraco content management system. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Umbraco Forms
NVD GitHub
CVE-2025-23041 NuGet
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Umbraco.Forms is a web form framework written for the nuget ecosystem. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Umbraco Forms
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy