CVE-2025-23041

Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are advised to upgrade. There are no known workarounds for this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.8 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
GitHub_MCNA
5.8 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 36%
VendorProductVersion
umbracoumbraco_forms
𝑥
< 8.13.15
umbracoumbraco_forms
10.0.0 ≤
𝑥
< 10.5.7
umbracoumbraco_forms
13.0.0 ≤
𝑥
< 13.2.2
umbracoumbraco_forms
14.0.0 ≤
𝑥
< 14.1.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-9v8m-qv22-f268