NuGet package
umbraco.forms
pkg:nuget/umbraco.forms
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-24687 | — | >= 16.0.0, < 16.4.1 | 16.4.1 | Jan 29, 2026 | Umbraco Forms is a form builder that integrates with the Umbraco content management system. It's possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems filesystem and read their contents, on Mac/Linux Umbraco installations using Forms. | ||
| CVE-2025-47280 | — | >= 7.0.0, < 13.4.2 | 13.4.2 | May 13, 2025 | Umbraco Forms is a form builder that integrates with the Umbraco content management system. Starting in the 7.x branch and prior to versions 13.4.2 and 15.1.2, the 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form | ||
| CVE-2025-23041 | — | < 10.5.7 | 10.5.7 | Jan 14, 2025 | Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are a | ||
| CVE-2024-35239 | — | >= 13.0.0, < 13.0.1 | 13.0.1 | May 28, 2024 | Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgra |
- CVE-2026-24687Jan 29, 2026affected >= 16.0.0, < 16.4.1fixed 16.4.1
Umbraco Forms is a form builder that integrates with the Umbraco content management system. It's possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems filesystem and read their contents, on Mac/Linux Umbraco installations using Forms.
- CVE-2025-47280May 13, 2025affected >= 7.0.0, < 13.4.2fixed 13.4.2
Umbraco Forms is a form builder that integrates with the Umbraco content management system. Starting in the 7.x branch and prior to versions 13.4.2 and 15.1.2, the 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form
- CVE-2025-23041Jan 14, 2025affected < 10.5.7fixed 10.5.7
Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are a
- CVE-2024-35239May 28, 2024affected >= 13.0.0, < 13.0.1fixed 13.0.1
Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgra