Email Injection Vulnerability in Umbraco Forms by Umbraco
CVE-2025-47280

2.3LOW

Key Information:

Vendor: Umbraco
Status: Umbraco.forms.issues
Vendor: CVE Published:; 13 May 2025

What is CVE-2025-47280?

Umbraco Forms, an integral part of the Umbraco content management system, is susceptible to an email injection vulnerability. This flaw arises from the 'Send email' workflow, which does not properly HTML encode user-submitted field values in outgoing messages. Consequently, this oversight could enable attackers to manipulate emails sent through trusted systems, bypassing traditional spam filters and email security measures. All supported versions of Umbraco Forms are impacted, with patches available in versions 13.4.2 and 15.1.2. Users of affected versions are advised to utilize the 'Send email with template (Razor)' workflow as a temporary solution. Additionally, users can mitigate risks by removing the vulnerable 'SendEmail' workflow using the dedicated composer provided in the GitHub Security Advisory.

Affected Version(s)

Umbraco.Forms.Issues >= 7.0.0, < 13.4.2 < 7.0.0, 13.4.2

Umbraco.Forms.Issues >= 15.0.0, < 15.1.2 < 15.0.0, 15.1.2

References

https://github.com/umbraco/Umbraco.Forms.Issues/security/...

x_refsource_CONFIRM

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2025
Vulnerability Reserved
May 5, 2025