Description
Umbraco Forms is a form builder that integrates with the Umbraco content management system. It's possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems filesystem and read their contents, on Mac/Linux Umbraco installations using Forms. As Umbraco Cloud runs in a Windows environment, Cloud users aren't affected. This issue affects versions 16 and 17 of Umbraco Forms and is patched in 16.4.1 and 17.1.1. If upgrading is not immediately possible, users can mitigate this vulnerability by configuring a WAF or reverse proxy to block requests containing path traversal sequences (`../`, `..\`) in the `fileName` parameter of the export endpoint, restricting network access to the Umbraco backoffice to trusted IP ranges, and/or blocking the `/umbraco/forms/api/v1/export` endpoint entirely if the export feature is not required. However, upgrading to the patched version is strongly recommended.
Published: 2026-01-29
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Path Traversal and Remote File Read
Action: Patch
AI Analysis

Impact

Umbraco Forms, a form builder integrated with the Umbraco CMS, contains a path traversal flaw that allows an authenticated backoffice user to enumerate and traverse file system paths and read arbitrary files. The vulnerability exploits the export endpoint by accepting a fileName parameter that can contain traversal sequences. If exploited, an attacker can access sensitive configuration files, credentials, or other confidential data residing on the host, leading to a breach of confidentiality and potential integrity compromise.

Affected Systems

Affected deployments are Umbraco Forms versions 16 and 17 running on Linux or macOS. The issue does not affect Umbraco Cloud users as the platform operates on Windows. Patches are available in release 16.4.1 for the 16 branch and 17.1.1 for the 17 branch. Versions prior to these are vulnerable.

Risk and Exploitability

The CVSS base score is 6, denoting moderate severity, and the EPSS score is less than 1 %, indicating a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog. An attacker requires authenticated backoffice access and can trigger the vulnerability via the /umbraco/forms/api/v1/export endpoint by providing a malicious fileName. Based on the description, it is inferred that the likely attack vector is an authenticated backoffice user, providing an authenticated attack vector with moderate impact, warranting priority remediation.

Generated by OpenCVE AI on April 18, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Umbraco Forms to version 16.4.1 or 17.1.1.
  • If upgrading is not immediately possible, configure a WAF or reverse proxy to block requests containing ../ or ..\ in the fileName parameter of the /umbraco/forms/api/v1/export endpoint.
  • Restrict network access to the Umbraco backoffice to trusted IP ranges.
  • If the export feature is not required, block the /umbraco/forms/api/v1/export endpoint entirely.

Generated by OpenCVE AI on April 18, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hm5p-82g6-m3xh Umbraco.Forms has Path Traversal and File Enumeration Vulnerabilities in Linux/Mac
History

Mon, 02 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Umbraco umbraco Forms
CPEs cpe:2.3:a:umbraco:umbraco_forms:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Umbraco umbraco Forms
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Umbraco
Umbraco forms
Vendors & Products Umbraco
Umbraco forms

Thu, 29 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
Description Umbraco Forms is a form builder that integrates with the Umbraco content management system. It's possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems filesystem and read their contents, on Mac/Linux Umbraco installations using Forms. As Umbraco Cloud runs in a Windows environment, Cloud users aren't affected. This issue affects versions 16 and 17 of Umbraco Forms and is patched in 16.4.1 and 17.1.1. If upgrading is not immediately possible, users can mitigate this vulnerability by configuring a WAF or reverse proxy to block requests containing path traversal sequences (`../`, `..\`) in the `fileName` parameter of the export endpoint, restricting network access to the Umbraco backoffice to trusted IP ranges, and/or blocking the `/umbraco/forms/api/v1/export` endpoint entirely if the export feature is not required. However, upgrading to the patched version is strongly recommended.
Title Umbraco.Forms has path traversal and file enumeration vulnerability in Linux/Mac
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Apple Macos
Linux Linux Kernel
Umbraco Forms Umbraco Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-29T20:47:23.180Z

Reserved: 2026-01-23T20:40:23.389Z

Link: CVE-2026-24687

cve-icon Vulnrichment

Updated: 2026-01-29T20:41:37.752Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-29T20:16:10.430

Modified: 2026-03-02T18:34:37.510

Link: CVE-2026-24687

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:30:16Z

Weaknesses