Path Traversal Vulnerability in Umbraco Forms by Umbraco
CVE-2026-24687
What is CVE-2026-24687?
Umbraco Forms, a popular form builder for the Umbraco content management system, has been identified with a path traversal vulnerability that could allow authenticated backoffice users to traverse the filesystem and access sensitive file contents. This issue is applicable to Mac and Linux installations of Umbraco. Users on Umbraco Cloud, which operates in a Windows environment, are not affected. The vulnerability exists in versions 16 and 17 of Umbraco Forms and has been addressed in updates 16.4.1 and 17.1.1. For those unable to upgrade immediately, it is advisable to mitigate risks by employing a Web Application Firewall (WAF) or reverse proxy to block path traversal attempts, restricting access to the backoffice from trusted IPs, or completely disabling the export feature by blocking the relevant endpoint.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
Umbraco.Forms.Issues >= 16.0.0, < 16.4.1 < 16.0.0, 16.4.1
Umbraco.Forms.Issues >= 17.0.0, < 17.1.1 < 17.0.0, 17.1.1
References
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved