CVE-2025-47280

NONE0.0EPSS 0.26%

Umbraco.Forms has HTML injection vulnerability in 'Send email' workflow

Published: 5/13/2025Modified: 5/13/2025

Description

### Impact The 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address (potentially bypassing spam and email client security systems). ### Patches This issue affects all (supported) versions Umbraco Forms and is patched in 13.4.2 and 15.1.2. ### Workarounds Unpatched or unsupported versions can workaround this issue by using the 'Send email with template (Razor)' workflow instead or [writing a custom workflow type](https://docs.umbraco.com/umbraco-forms/developer/extending/adding-a-workflowtype). To avoid accidentally using the vulnerable workflow again, the `SendEmail` workflow type can be removed using the following composer (tested on Umbraco 10, 13, 14 and 15): ```c# using Umbraco.Cms.Core.Composing; using Umbraco.Forms.Core.Providers.Extensions; using Umbraco.Forms.Core.Providers.WorkflowTypes; internal sealed class RemoveFormsSendEmailWorkflowTypeComposer : IComposer { public void Compose(IUmbracoBuilder builder) => builder.FormsWorkflows().Exclude<SendEmail>(); } ```

Affected packages (2)

NuGet/Umbraco.Forms>= 7.0.0, < 13.4.2
NuGet/UmbracoForms>= 7.0.0, <= 8.13.16

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:U
osv	CVSS 3.1	NONE0.0	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N

Description

Affected packages (2)

CVSS scores

References (3)