Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-47280

Good to know:

icon

Date: May 13, 2025

Umbraco Forms is a form builder that integrates with the Umbraco content management system. Starting in the 7.x branch and prior to versions 13.4.2 and 15.1.2, the 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address, potentially bypassing spam and email client security systems. This issue affects all (supported) versions Umbraco Forms and is patched in 13.4.2 and 15.1.2. Unpatched or unsupported versions can workaround this issue by using the "Send email with template (Razor)" workflow instead or writing a custom workflow type. To avoid accidentally using the vulnerable workflow again, the "SendEmail" workflow type can be removed using a composer available in the GitHub Security Advisory for this vulnerability.

Severity Score

Related Resources (4)

https://github.com/umbraco/Umbraco.Forms.Issues
https://nvd.nist.gov/vuln/detail/CVE-2025-47280
https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-2qrj-g9hq-chph
https://www.mend.io/vulnerability-database/CVE-2025-47280

Severity Score

Weakness Type (CWE)

Improper Encoding or Escaping of Output

CWE-116

Top Fix

icon

Upgrade Version

Upgrade to version Umbraco.Forms - 13.4.2;Umbraco.Forms - 15.1.2;Umbraco.Forms - 13.4.2;Umbraco.Forms - 15.1.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us