CVE Tools
Sign in

CVE-2025-47280

Umbraco.Forms has HTML injection vulnerability in 'Send email' workflow

Published: May 13, 2025Updated: May 22, 2025 Sources: CVE List NVD GHSACWE-116
NVD MITRE
6.1CVSSMEDIUM
EPSS Score
0.2%
Top 85.4%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Umbraco Forms is a form builder that integrates with the Umbraco content management system. Starting in the 7.x branch and prior to versions 13.4.2 and 15.1.2, the 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address, potentially bypassing spam and email client security systems. This issue affects all (supported) versions Umbraco Forms and is patched in 13.4.2 and 15.1.2. Unpatched or unsupported versions can workaround this issue by using the `Send email with template (Razor)` workflow instead or writing a custom workflow type. To avoid accidentally using the vulnerable workflow again, the `SendEmail` workflow type can be removed using a composer available in the GitHub Security Advisory for this vulnerability.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:RS:CC:LI:LA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:RUser Interaction
Required
Scope
S:CScope
Changed
Impact
C:LConfidentiality
Low
I:LIntegrity
Low
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-116

Affected Products

Umbraco.Forms.Issuesumbraco
On-prem
Web & CMS Plugins / cms-core
umbraco formsumbraco
On-prem
Web & CMS Plugins / cms-core
Umbraco.FormsNuGetOSS Libraries
UmbracoFormsNuGetOSS Libraries
umbracocommercialDKWeb & CMS Pluginsaka umbraco cms, umbraco forms, umbraco-cms
nugetpackage-ecosystemOSS Libraries

Exploitability

Official Patch Available

References

https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-2qrj-g9hq-chph
github.com
https://nvd.nist.gov/vuln/detail/CVE-2025-47280
nvd.nist.gov
https://github.com/umbraco/Umbraco.Forms.Issues
github.com

Timeline

Published
May 13, 2025
Last Updated
May 22, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2025-47280 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows