Email Injection Vulnerability in Umbraco Forms by Umbraco
CVE-2025-47280

2.3LOW

Key Information:

Vendor: Umbraco
Status: Umbraco.forms.issues
Vendor: CVE Published:; 13 May 2025

What is CVE-2025-47280?

Umbraco Forms, an integral part of the Umbraco content management system, is susceptible to an email injection vulnerability. This flaw arises from the 'Send email' workflow, which does not properly HTML encode user-submitted field values in outgoing messages. Consequently, this oversight could enable attackers to manipulate emails sent through trusted systems, bypassing traditional spam filters and email security measures. All supported versions of Umbraco Forms are impacted, with patches available in versions 13.4.2 and 15.1.2. Users of affected versions are advised to utilize the 'Send email with template (Razor)' workflow as a temporary solution. Additionally, users can mitigate risks by removing the vulnerable 'SendEmail' workflow using the dedicated composer provided in the GitHub Security Advisory.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Umbraco.Forms.Issues >= 7.0.0, < 13.4.2 < 7.0.0, 13.4.2

Umbraco.Forms.Issues >= 15.0.0, < 15.1.2 < 15.0.0, 15.1.2

References

https://github.com/umbraco/Umbraco.Forms.Issues/security/...

x_refsource_CONFIRM

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
May 13, 2025
Vulnerability Reserved
May 5, 2025

JSON

Umbraco

What is CVE-2025-47280?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.