SCA: security update for Umbraco.Forms (GHSA-2qrj-g9hq-chph)

low Tenable Self-Hosted Container Security Plugin ID 434679

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Umbraco Forms is a form builder that integrates with the Umbraco content management system. Starting in
the 7.x branch and prior to versions 13.4.2 and 15.1.2, the 'Send email' workflow does not HTML encode the
user-provided field values in the sent email message, making any form with this workflow configured
vulnerable, as it allows sending the message from a trusted system and address, potentially bypassing spam
and email client security systems. This issue affects all (supported) versions Umbraco Forms and is
patched in 13.4.2 and 15.1.2. Unpatched or unsupported versions can workaround this issue by using the
`Send email with template (Razor)` workflow instead or writing a custom workflow type. To avoid
accidentally using the vulnerable workflow again, the `SendEmail` workflow type can be removed using a
composer available in the GitHub Security Advisory for this vulnerability. (CVE-2025-47280)

See Also

https://github.com/advisories/GHSA-2qrj-g9hq-chph

Plugin Details

Severity: Low

ID: 434679

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 8/19/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.37

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2025-47280

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Low

Base Score: 2.3

Threat Score: 5.2

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/13/2025

Vulnerability Publication Date: 5/13/2025

Reference Information

CVE: CVE-2025-47280

cwe: CWE-116