CVE-2025-68924

Published: Jan 16, 2026Modified: Feb 20, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.6 / Impact: 5.9

Source: MITRE (Secondary)

Description

In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply a malicious WSDL (aka Webservice) URL as a data source for remote code execution.

Affected (1)

Products: Umbraco: Umbraco Forms

Umbraco

1 product

Umbraco Forms

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Umbraco Umbraco Forms	Up to 8.13.16

Related CWEs

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

References (3)

https://github.com/advisories/GHSA-vrgw-pc9c-qrrc

Source: cve@mitre.org

VDB EntryVendor AdvisoryMitigation

https://our.umbraco.com/packages/developer-tools/umbraco-forms/

Source: cve@mitre.org

Release Notes

https://www.nuget.org/packages/UmbracoForms

Source: cve@mitre.org

Product

Timeline

No history available yet.