CVE-2025-23041

Published: Jan 14, 2025Modified: Sep 19, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are advised to upgrade. There are no known workarounds for this issue.

Affected (4)

Products: Umbraco: Umbraco Forms

Umbraco

1 product

Umbraco Forms

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Umbraco Umbraco Forms	Before 8.13.15
Umbraco Umbraco Forms	From 10.0.0 to 10.5.7
Umbraco Umbraco Forms	From 13.0.0 to 13.2.2
Umbraco Umbraco Forms	From 14.0.0 to 14.1.2

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (1)

https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-9v8m-qv22-f268

Source: security-advisories@github.com

PatchThird Party Advisory

Timeline

No history available yet.