Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-47280

CVE-2025-47280: Umbraco Forms XSS Vulnerability

CVE-2025-47280 is an XSS vulnerability in Umbraco Forms where the Send email workflow fails to encode user input, allowing malicious code injection. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-47280 Overview

CVE-2025-47280 affects Umbraco Forms, a form builder that integrates with the Umbraco content management system (CMS). The Send email workflow fails to HTML encode user-provided field values when composing outbound email messages. An attacker can submit a form with crafted content that becomes part of an email sent from a trusted system address. This allows adversaries to relay attacker-controlled content through legitimate infrastructure, potentially bypassing spam filters and email client security controls. The vulnerability affects the 7.x branch and later versions prior to 13.4.2 and 15.1.2. This issue is categorized under [CWE-116] Improper Encoding or Escaping of Output.

Critical Impact

Attackers can inject unescaped HTML into emails sent from a trusted Umbraco Forms deployment, enabling phishing content delivery through a reputable sender.

Affected Products

  • Umbraco Forms 7.x through versions prior to 13.4.2
  • Umbraco Forms versions prior to 15.1.2
  • All supported Umbraco Forms releases using the SendEmail workflow type

Discovery Timeline

  • 2025-05-13 - CVE-2025-47280 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-47280

Vulnerability Analysis

Umbraco Forms provides configurable workflows that execute when a visitor submits a form. The Send email workflow constructs an email body from submitted field values and forwards it to a configured recipient. The workflow inserts these field values into the outgoing HTML message body without applying HTML encoding. An attacker submitting a form can include HTML markup, links, or styled content that renders directly in the recipient's mail client.

Because the email originates from the Umbraco Forms deployment, it carries the sending domain's SPF, DKIM, and DMARC alignment. Downstream mail systems treat the message as legitimate correspondence from a trusted source. This trust context increases the likelihood that phishing content reaches inboxes rather than spam folders.

Root Cause

The root cause is missing output encoding in the SendEmail workflow implementation. User-controlled input flows from the form submission handler directly into the HTML email template. The workflow treats field values as safe content rather than untrusted input requiring context-appropriate escaping.

Attack Vector

Exploitation requires network access to a public form that has the vulnerable Send email workflow configured. The attacker submits the form with HTML payloads in text fields. The Umbraco Forms server generates and sends an email containing the raw markup to the configured recipient. User interaction is required at the recipient side to open the message and interact with injected content. The vulnerability does not grant code execution or direct access to the Umbraco backend.

Refer to the GitHub Security Advisory GHSA-2qrj-g9hq-chph for the vendor's technical description.

Detection Methods for CVE-2025-47280

Indicators of Compromise

  • Outbound emails from the Umbraco Forms deployment containing unexpected HTML tags, external links, or embedded styles in field content.
  • Recipient reports of phishing messages that appear to originate from the organization's forms mailer address.
  • Form submissions in Umbraco logs containing markup such as <a href=, <script>, or <img src= inside text fields.

Detection Strategies

  • Review Umbraco Forms configuration and identify every form using the SendEmail workflow type.
  • Inspect stored form submission records for HTML markup in field values that should contain plain text.
  • Correlate outbound mail server logs with form submission timestamps to identify anomalous message content.

Monitoring Recommendations

  • Alert on outbound messages from the forms mailer that contain hyperlinks to external domains not owned by the organization.
  • Monitor form submission volumes for spikes that may indicate automated abuse of the workflow.
  • Track recipient complaints and bounce patterns for the sending address associated with Umbraco Forms.

How to Mitigate CVE-2025-47280

Immediate Actions Required

  • Upgrade Umbraco Forms to version 13.4.2 or 15.1.2, matching the supported branch for your Umbraco CMS deployment.
  • Audit all forms currently using the Send email workflow and identify public-facing submission endpoints.
  • Restrict form recipients to internal mailboxes until the patch is applied.

Patch Information

Umbraco has released fixed versions 13.4.2 and 15.1.2 that apply HTML encoding to user-provided field values in the Send email workflow. Administrators running any 7.x through pre-13.4.2 release or any 14.x through pre-15.1.2 release should upgrade immediately. Full remediation details are available in the GitHub Security Advisory GHSA-2qrj-g9hq-chph.

Workarounds

  • Replace the vulnerable Send email workflow with the Send email with template (Razor) workflow, which applies proper output encoding.
  • Implement a custom workflow type that HTML encodes all field values before assembling the message body.
  • Remove the SendEmail workflow type entirely using the composer published in the GitHub Security Advisory to prevent accidental reuse.
bash
# Update Umbraco Forms via NuGet to the patched release
dotnet add package Umbraco.Forms --version 15.1.2
# Or for the 13.x branch
dotnet add package Umbraco.Forms --version 13.4.2

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.