CVE-2026-24687
EPSS 0.03%Umbraco.Forms has Path Traversal and File Enumeration Vulnerabilities in Linux/Mac
Description
### Impact It's possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems filesystem and read their contents, on Mac/Linux Umbraco installations using Forms. As Umbraco Cloud runs in a Windows environment, Cloud users aren't affected. ### Patches This issue affects versions 16 and 17 of Umbraco Forms and is patched in 16.4.1 and 17.1.1 ### Workarounds If upgrading is not immediately possible, users can mitigate this vulnerability by: * Configuring a WAF or reverse proxy to block requests containing path traversal sequences (`../`, `..\`) in the `fileName` parameter of the export endpoint * Restricting network access to the Umbraco backoffice to trusted IP ranges * Blocking the `/umbraco/forms/api/v1/export` endpoint entirely if the export feature is not required However, upgrading to the patched version is strongly recommended. ### References Credit to Kevin Joensen from Baldur Security for finding this vulnerability
Affected packages (1)
- NuGet/Umbraco.Forms>= 16.0.0, < 16.4.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |