CVE-2025-23041

EUVD-2025-0070
Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are advised to upgrade. There are no known workarounds for this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.8 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
GitHub_MCNA
5.8 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
Affected Products (NVD)
VendorProductVersion
umbracoumbraco_forms
𝑥
< 8.13.15
umbracoumbraco_forms
10.0.0 ≤
𝑥
< 10.5.7
umbracoumbraco_forms
13.0.0 ≤
𝑥
< 13.2.2
umbracoumbraco_forms
14.0.0 ≤
𝑥
< 14.1.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-9v8m-qv22-f268